Re: [Nix-dev] NFS performance issues after upgrade to 16.09
Maybe it's something else? https://www.clearos.com/clearfoundation/social/community/solved-nfs-causing-high-load To further troubleshoot, I'd look into NFS logging to see what is being read/written, and snooping network traffic might be a quick way into that. Maybe in the new versions one of the apps started doing lots of mini writes with fsync? Wout. On Thu, Oct 13, 2016, 11:57 PM zimbatmwrote: > For the channels look into https://github.com/NixOS/nixpkgs-channels. The > branches here map directly to the channels that you can fetch publicly. If > you figure out which files are being used by nfs then it's a matter of > running a diff between the different branches. > > > https://github.com/NixOS/nixpkgs-channels/blob/nixos-16.09/nixos/modules/services/network-filesystems/nfsd.nix > doesn't seem to have changed since 16.03. > It seems to be using the nfs-utils which you can find in the > pkgs/top-level/all-packages.nix and follow from there. nfs-utils seems to > have changed: > https://github.com/NixOS/nixpkgs-channels/blob/nixos-16.09/pkgs/os-specific/linux/nfs-utils/default.nix > There is also the kernel module that you might want to dig into. > > I know it's not a direct solution but hopefully it will give you some more > things to try out. > > Cheers, > z > > > > On Thu, 13 Oct 2016 at 15:18 4levels <4lev...@gmail.com> wrote: > > Hi Jonas, > > disabling fail2ban didn't help, now the Nginx webserver keeps crashing as > soon as a php error occurs. > Do you know by any chance if with the upgrade to nixos-16.09 a newer > version of NFS is included than in 16.03? Maybe some default parameters in > NFS have changed causing this havoc. > As a more general question: how can I see which version of package x is > used in nixos version y? > > Kind regards, > > Erik > > On Thu, Oct 13, 2016 at 11:05 AM 4levels <4lev...@gmail.com> wrote: > > Hi, > > thank you for your suggestions. I've disabled the firewall and fail2ban > services, let's hope that does the trick! > I'll report back when things are better.. > > Kind regards, > > Erik > > On Thu, Oct 13, 2016 at 9:09 AM zimbatm wrote: > > Hi, > > What happens if you disable fail2ban? Maybe the behaviour has changed. > > Or try to change the kernel and NFS versions. > > I know it's not much help, all I can recommend is to try and replace each > component to reduce the error. > > On Wed, 12 Oct 2016, 10:51 4levels, <4lev...@gmail.com> wrote: > > Dear Nix'ers, > > I've a permanent issue since the upgrade to nixos-16.09 in my local vm > (with kvm-qemu from an SSD partition). The load of the vm is increasing > over time without any signs in the output of top. Bash completion when > traversing directories stalls and the whole system becomes unresponsive > after about 5 to 10 minutes with top showing a load > 30. Even rebooting > fails with several services failing to stop (eg. fail2ban, phpfpm, ). > > This has everything to do with NFS: as soon as I disable the NFS mounts, > the system maintains normal operation. Nginx / phpfpm are using NFS > mounted folders for local development. > > These are the filesystem declarations in the nixops expression: > > fileSystems."/data/dev" = { > device = "d01:/data/dev"; > fsType = "nfs"; > options = [ "defaults" "noatime" "nolock" "noacl" "vers=3" "udp" > "actimeo=1" ]; > }; > fileSystems."/extra/Documents" = { > device = "d01:/extra/Documents"; > fsType = "nfs"; > options = [ "defaults" "noatime" "nolock" "noacl" "vers=3" "udp" > "actimeo=1" ]; > }; > > with d01 being declared in extrahosts > > networking.extraHosts = "192.168.121.1 d01 d01.local"; > > Has anyone an idea how this could be related to the upgrade to 16.09? On > 16.03 this all worked normally.. > > Kind regards, > > Erik aka 4levels > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] b91d64: Libsystem: update to 10.11.6 version
Branch: refs/heads/staging Home: https://github.com/NixOS/nixpkgs Commit: b91d64463f060b05774e5cbfd589dcceca823973 https://github.com/NixOS/nixpkgs/commit/b91d64463f060b05774e5cbfd589dcceca823973 Author: Dan PeeblesDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/darwin/apple-source-releases/default.nix Log Message: --- Libsystem: update to 10.11.6 version This actually has no effect but it bugged me to keep seeing an old version in the package names :) and since we're making a bunch of stdenv changes at once, I might as well. Commit: ead242498132ae3b4a2c547f7cadbccb26c9c5a6 https://github.com/NixOS/nixpkgs/commit/ead242498132ae3b4a2c547f7cadbccb26c9c5a6 Author: Dan Peebles Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/darwin/cctools/port.nix Log Message: --- cctools: fix triple for the assembler This was breaking `boost155` and would probably break anything else that calls `as` with no explicit architecture. Commit: e4dba74e8afd052dca5225250a8bce5f16f8ca1c https://github.com/NixOS/nixpkgs/commit/e4dba74e8afd052dca5225250a8bce5f16f8ca1c Author: Dan Peebles Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/stdenv/darwin/default.nix Log Message: --- darwin.stdenv: update MACOSX_DEPLOYMENT_TARGET No point in claiming we're compatible with a version we don't try to support, and this will probably help with a few other things elsewhere. Compare: https://github.com/NixOS/nixpkgs/compare/1e916de64070...e4dba74e8afd___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 107c03: Python: remove pythonSmall
Branch: refs/heads/staging Home: https://github.com/NixOS/nixpkgs Commit: 107c035bf04e1b7d133d31cf8f8d6a44ef6ae136 https://github.com/NixOS/nixpkgs/commit/107c035bf04e1b7d133d31cf8f8d6a44ef6ae136 Author: Frederik RietdijkDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M doc/languages-frameworks/python.md M pkgs/development/interpreters/python/cpython/2.7/default.nix M pkgs/development/interpreters/python/cpython/3.3/default.nix M pkgs/development/interpreters/python/cpython/3.4/default.nix M pkgs/development/interpreters/python/cpython/3.5/default.nix M pkgs/development/interpreters/python/cpython/3.6/default.nix M pkgs/top-level/all-packages.nix M pkgs/top-level/python-packages.nix Log Message: --- Python: remove pythonSmall In #19309 a separate output for tkinter was added. Several dependencies of Python depend indirectly on Python. We have the following two paths: ``` ‘python-2.7.12’ - ‘tk-8.6.6’ - ‘libXft-2.3.2’ - ‘libXrender-0.9.10’ - ‘libX11-1.6.4’ - ‘libxcb-1.12’ - ‘libxslt-1.1.29’- ‘libxml2-2.9.4’ - ‘python-2.7.12’ ‘python-2.7.12’ - ‘tk-8.6.6’ - ‘libXft-2.3.2’ - ‘fontconfig-2.12.1’ - ‘dejavu-fonts-2.37’ - ‘fontforge-20160404’ - ‘python-2.7.12’ ``` Because only `tkinter` needs this, I added ``` pythonSmall = python.override {x11Support = false;}; ``` to break the infinite recursion. We also still have the output `tkinter`. However, we might as well build without x11Support by default. Then we build with x11Support as well so we get the tkinter module and put that in a separate package. Commit: 1e916de64070b59fa30c288df43ff59b380559d1 https://github.com/NixOS/nixpkgs/commit/1e916de64070b59fa30c288df43ff59b380559d1 Author: Daniel Peebles Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M doc/languages-frameworks/python.md M pkgs/development/interpreters/python/cpython/2.7/default.nix M pkgs/development/interpreters/python/cpython/3.3/default.nix M pkgs/development/interpreters/python/cpython/3.4/default.nix M pkgs/development/interpreters/python/cpython/3.5/default.nix M pkgs/development/interpreters/python/cpython/3.6/default.nix M pkgs/top-level/all-packages.nix M pkgs/top-level/python-packages.nix Log Message: --- Merge pull request #19594 from FRidh/tkinter Python: no separate output for tkinter but build interpreter twice Compare: https://github.com/NixOS/nixpkgs/compare/80433e70302b...1e916de64070___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 4ed7db: ammonite-repl: init at 0.7.8
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 4ed7db95ac8bedb88702e9eb3cda9e34ddae2157 https://github.com/NixOS/nixpkgs/commit/4ed7db95ac8bedb88702e9eb3cda9e34ddae2157 Author: Tim SteinbachDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: A pkgs/development/tools/ammonite/default.nix M pkgs/top-level/all-packages.nix Log Message: --- ammonite-repl: init at 0.7.8 Commit: e3c3153dd0027fdc00e3c4692ff1fa286f8302e3 https://github.com/NixOS/nixpkgs/commit/e3c3153dd0027fdc00e3c4692ff1fa286f8302e3 Author: Tim Steinbach Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: A pkgs/development/tools/ammonite/default.nix M pkgs/top-level/all-packages.nix Log Message: --- Merge pull request #19608 from NeQuissimus/ammonite_0_7_8 ammonite-repl: init at 0.7.8 Compare: https://github.com/NixOS/nixpkgs/compare/5118c50ba359...e3c3153dd002___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] acb80e: glances: 2.6.2 -> 2.7.1_1
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: acb80e9b73714eef2e00df6c26ec7f139303cdc6 https://github.com/NixOS/nixpkgs/commit/acb80e9b73714eef2e00df6c26ec7f139303cdc6 Author: Chris DarnellDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/top-level/python-packages.nix Log Message: --- glances: 2.6.2 -> 2.7.1_1 Commit: 5118c50ba359e4a6190b6dba3c35b342c67c7661 https://github.com/NixOS/nixpkgs/commit/5118c50ba359e4a6190b6dba3c35b342c67c7661 Author: Graham Christensen Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/top-level/python-packages.nix Log Message: --- Merge pull request #19604 from cedeel/glances glances: 2.6.2 -> 2.7.1_1 Compare: https://github.com/NixOS/nixpkgs/compare/b4d8f8b8e210...5118c50ba359___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] b4d8f8: bind: Disable seccomp on non-x86
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: b4d8f8b8e21021eb72bc84476387c13543a983cd https://github.com/NixOS/nixpkgs/commit/b4d8f8b8e21021eb72bc84476387c13543a983cd Author: Tuomas TynkkynenDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/servers/dns/bind/default.nix Log Message: --- bind: Disable seccomp on non-x86 The list of permitted syscalls in the seccomp sandbox is only defined for x86. It fails to build otherwise: In file included from /tmp/nix-build-bind-9.10.4-P3.drv-0/bind-9.10.4-P3/lib/isc/include/isc/magic.h:23:0, from /tmp/nix-build-bind-9.10.4-P3.drv-0/bind-9.10.4-P3/lib/isc/include/isc/app.h:89, from ./main.c:26: ./main.c: In function 'setup_seccomp': ./main.c:848:17: error: 'scmp_syscalls' undeclared (first use in this function) INSIST((sizeof(scmp_syscalls) / sizeof(int)) == ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 025c74: aliases.nix: Fix syntax
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 025c74f248f3820440d45dd00c519cfba7744249 https://github.com/NixOS/nixpkgs/commit/025c74f248f3820440d45dd00c519cfba7744249 Author: Tuomas TynkkynenDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/top-level/aliases.nix Log Message: --- aliases.nix: Fix syntax ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] f87e99: google-authenticator: rename from googleAuthentica...
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: f87e998c513c9e7c04b4ba16bec03107d53eac22 https://github.com/NixOS/nixpkgs/commit/f87e998c513c9e7c04b4ba16bec03107d53eac22 Author: Aneesh AgrawalDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/top-level/aliases.nix M pkgs/top-level/all-packages.nix Log Message: --- google-authenticator: rename from googleAuthenticator Commit: 31b4fcd0b7438cb2d69537f0fb1ed3ec85fd6b0f https://github.com/NixOS/nixpkgs/commit/31b4fcd0b7438cb2d69537f0fb1ed3ec85fd6b0f Author: Aneesh Agrawal Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/linux/google-authenticator/default.nix Log Message: --- google-authenticator: adopt package Commit: 756a6949f87cd43e6c9933b25be52deddd600b56 https://github.com/NixOS/nixpkgs/commit/756a6949f87cd43e6c9933b25be52deddd600b56 Author: Jörg Thalheim Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/linux/google-authenticator/default.nix M pkgs/top-level/aliases.nix M pkgs/top-level/all-packages.nix Log Message: --- Merge pull request #19603 from aneeshusa/adopt-google-authenticator [WIP] Adopt google authenticator Compare: https://github.com/NixOS/nixpkgs/compare/8d80ad4175b6...756a6949f87c___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
Re: [Nix-dev] How do I know I can enableParallelBuilding?
> We should als document why parallel building is disabled by default. build 3 times -> if it works 3 times you are likely to be fine. You never know for sure. mkDervation { run = "1"; # should cause rebuild # inc 2 times } whether builds succeed depends on load/ moon /weather / your nose / disk load / (you get it) Sometimes the authors know (mailinglist/google/irc) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How do I know I can enableParallelBuilding?
On 15/10/16 18:21, Vladimír Čunát wrote: > For example, I personally think we could have `build-cores = 0` by > default, as we only leave enableParallelBuilding = true for packages > that don't fail because of it. btw, do you have that option set up? If so, what is your general experience with it? how is the stability of the system, etc. -- Ruben ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
What is the minimal replacement for Hydra. nix-build + dynamic remote builders + nar s3 upload? On Sun, 16 Oct 2016 at 18:53 Kevin Coxwrote: > On 16/10/16 18:32, Shea Levy wrote: > > I think an automated system would be nicer, but yes this would resolve > > the majority of my concern here. > > > > I understand but I think Hydra works more then 95% of the time. > Designing an automated system for the rare case when we need to push an > emergency update sounds like it is unlikely to be fruitful. I think that > if we are trying to create a backup for an automated system it would be > beneficial to go quite bare bones. > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] NixOS London - 25 Oct - Using Nix in Production by Domen Kožar
Hi everyone, I am happy to announce that Domen is coming to London! He will be giving a talk about his use of nix at Snabb.co which I am looking forward to listen to. As usual after the talk we have a bit of a hacking session going on where we teach and learn. Followed by some rounds of beer at the nearby pub where we can exchange ideas and plans of world domination using nix. Register over here if you want to join us: https://www.meetup.com/NixOS-London/events/234809300/ The even is hosted by Skillsmatter which will also be recording the talk. Cheers, z ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] 8d80ad: calibre: 2.68.0 -> 2.70.0
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 8d80ad4175b6c29f085a62549e96a3bd1e9950f0 https://github.com/NixOS/nixpkgs/commit/8d80ad4175b6c29f085a62549e96a3bd1e9950f0 Author: Pascal WittmannDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/applications/misc/calibre/default.nix Log Message: --- calibre: 2.68.0 -> 2.70.0 ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
Re: [Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
On 16/10/16 18:32, Shea Levy wrote: > I think an automated system would be nicer, but yes this would resolve > the majority of my concern here. > I understand but I think Hydra works more then 95% of the time. Designing an automated system for the rare case when we need to push an emergency update sounds like it is unlikely to be fruitful. I think that if we are trying to create a backup for an automated system it would be beneficial to go quite bare bones. signature.asc Description: OpenPGP digital signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] 56ca7c: homebank: 5.0.6 -> 5.1
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 56ca7ca1364259c127eda0a38564786c4a223521 https://github.com/NixOS/nixpkgs/commit/56ca7ca1364259c127eda0a38564786c4a223521 Author: Pascal WittmannDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/applications/office/homebank/default.nix Log Message: --- homebank: 5.0.6 -> 5.1 ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
Re: [Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
I think an automated system would be nicer, but yes this would resolve the majority of my concern here. Kevin Coxwrites: > [ Unknown signature status ] > On 16/10/16 18:24, Shea Levy wrote: >> The existing infrastructure will always have more load and be more >> complex than what is needed for security updates. hydra is a fully >> general CI system, and properly so, but it means the system is subject >> to bugs and constraints that a simpler more focused system can avoid. >> >> Moreover, for better or for worse hydra.nixos.org is only manageable by >> a small set of people who are not always available to service it (nor >> should they have to be!). No amount of improving hydra will fix that. >> > > I see your point. But for a emergency rebuild system for security fixes > wouldn't it just make sense to have a couple of people with S3 > credentials? Most packages can be built on a mildly powerful machine in > an hour. In the rare case that the package would take longer it probably > wouldn't be improved by a cluster as it will be a serial dependency chain. > > So if we really want to reduce dependencies how about a couple of people > trusted to push these updated packages? signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
On 16/10/16 18:24, Shea Levy wrote: > The existing infrastructure will always have more load and be more > complex than what is needed for security updates. hydra is a fully > general CI system, and properly so, but it means the system is subject > to bugs and constraints that a simpler more focused system can avoid. > > Moreover, for better or for worse hydra.nixos.org is only manageable by > a small set of people who are not always available to service it (nor > should they have to be!). No amount of improving hydra will fix that. > I see your point. But for a emergency rebuild system for security fixes wouldn't it just make sense to have a couple of people with S3 credentials? Most packages can be built on a mildly powerful machine in an hour. In the rare case that the package would take longer it probably wouldn't be improved by a cluster as it will be a serial dependency chain. So if we really want to reduce dependencies how about a couple of people trusted to push these updated packages? signature.asc Description: OpenPGP digital signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
The existing infrastructure will always have more load and be more complex than what is needed for security updates. hydra is a fully general CI system, and properly so, but it means the system is subject to bugs and constraints that a simpler more focused system can avoid. Moreover, for better or for worse hydra.nixos.org is only manageable by a small set of people who are not always available to service it (nor should they have to be!). No amount of improving hydra will fix that. ~Shea Graham Christensenwrites: > -1 I think a better approach would be to bolster and support the existing > infrastructure and fix its issues, not create a whole new set. Hydra > already spins up and down AWS nodes depending on the number of jobs. > > - https://github.com/NixOS/hydra-provisioner > - > https://github.com/NixOS/nixos-org-configurations/tree/master/hydra-provisioner > - https://hydra.nixos.org/machines -- I believe if you whois the > struck-out IPs they'll all belong to AWS > > On Sun, Oct 16, 2016 at 12:56 PM Shea Levy wrote: > >> Hi all, >> >> hydra.nixos.org is a wonderful community resource, but its broad scope >> and somewhat frequent downtime concerns me when it comes to security >> updates. As a supplemental service, I propose we have a service, hosted >> by a professional hosting company with 24/7 support and with multiple >> trusted community members having administrative access, dedicated to >> building only critical security updates and uploading them to the binary >> cache, with the intention that these be used with >> system.replaceRuntimeDependencies/pkgs.replaceDependency until hydra has >> had a chance to update the entire channel. This service could work via >> manual triggering by trusted users, github push notifications and commit >> message parsing (to get the relevant attributes to build), signed git >> commits, or some combination of these, and would *only* build the >> directly affected packages (e.g. only rebuild glibc for a glibc >> vulnerability, expecting users to use replaceDependency until hydra is >> caught up). If it turns out to be useful, it could spin up AWS build >> machines on demand to ensure a very rapid turnaround. >> >> Thoughts on this? I'm happy to help fund this significantly, but it >> loses a lot of its value if it doesn't directly upload to the nixos.org >> cache so I think it needs official support before following through. >> >> Thanks, >> Shea >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
-1 I think a better approach would be to bolster and support the existing infrastructure and fix its issues, not create a whole new set. Hydra already spins up and down AWS nodes depending on the number of jobs. - https://github.com/NixOS/hydra-provisioner - https://github.com/NixOS/nixos-org-configurations/tree/master/hydra-provisioner - https://hydra.nixos.org/machines -- I believe if you whois the struck-out IPs they'll all belong to AWS On Sun, Oct 16, 2016 at 12:56 PM Shea Levywrote: > Hi all, > > hydra.nixos.org is a wonderful community resource, but its broad scope > and somewhat frequent downtime concerns me when it comes to security > updates. As a supplemental service, I propose we have a service, hosted > by a professional hosting company with 24/7 support and with multiple > trusted community members having administrative access, dedicated to > building only critical security updates and uploading them to the binary > cache, with the intention that these be used with > system.replaceRuntimeDependencies/pkgs.replaceDependency until hydra has > had a chance to update the entire channel. This service could work via > manual triggering by trusted users, github push notifications and commit > message parsing (to get the relevant attributes to build), signed git > commits, or some combination of these, and would *only* build the > directly affected packages (e.g. only rebuild glibc for a glibc > vulnerability, expecting users to use replaceDependency until hydra is > caught up). If it turns out to be useful, it could spin up AWS build > machines on demand to ensure a very rapid turnaround. > > Thoughts on this? I'm happy to help fund this significantly, but it > loses a lot of its value if it doesn't directly upload to the nixos.org > cache so I think it needs official support before following through. > > Thanks, > Shea > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] 104d69: hound: fixup meta
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 104d6965af3254a2fc6777de847abd1c7b4af237 https://github.com/NixOS/nixpkgs/commit/104d6965af3254a2fc6777de847abd1c7b4af237 Author: Graham ChristensenDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/development/tools/misc/hound/default.nix Log Message: --- hound: fixup meta Commit: 33ac1e1d63f6f2f4f6b997a8688233102867acd2 https://github.com/NixOS/nixpkgs/commit/33ac1e1d63f6f2f4f6b997a8688233102867acd2 Author: Graham Christensen Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/data/fonts/raleway/default.nix Log Message: --- raleway: fix meta.homepage Compare: https://github.com/NixOS/nixpkgs/compare/0842bc94e5c4...33ac1e1d63f6___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-dev] 2nd Nix(OS) Hackathon Augsburg 4.–6.11. @OpenlabAugsburg
Fellow Nixers, we’re having a three-day NixOS hackathon. It will be in the hackerspace of the wonderful city of Augsburg (Bavaria, Germany), at OpenLab Augsburg. Friday, 4.11. – Sunday, 6.11. On Saturday there will be an extensive introduction to NixOS for everyone interested. If you want to present what you are working on, there will be space for that, too. Please RSVP here: https://www.meetup.com/Munich-NixOS-Meetup/events/234896946/ or alternatively send me an email. If anyone wants to travel from further, there is a nice youth hostel in the city center that is ~10–15 minutes away: https://goo.gl/maps/bdeMWG84qUp A bit more expensive, but directly over the street is the Stadthotel Augsburg https://goo.gl/maps/vMfwYVgqXZt Drinks are available, we are still talking to people about sponsoring the catering. See you there! -- Proudly written in Mutt with Vim on NixOS. Q: Why is this email five sentences or less? A: http://five.sentenc.es May take up to five days to read your message. If it’s urgent, call me. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] 4ceca4: samba4: 4.3.11 -> 4.4.6
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 4ceca4fe4f1d5f0fac900de8712edee56d9b51a7 https://github.com/NixOS/nixpkgs/commit/4ceca4fe4f1d5f0fac900de8712edee56d9b51a7 Author: Nikolay AmiantovDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: R pkgs/servers/samba/4.x-fix-ctdb-deps.patch M pkgs/servers/samba/4.x-no-persistent-install.patch M pkgs/servers/samba/4.x.nix Log Message: --- samba4: 4.3.11 -> 4.4.6 Commit: 40547dd4c41e3cf0628c0bb3e2384278cc539313 https://github.com/NixOS/nixpkgs/commit/40547dd4c41e3cf0628c0bb3e2384278cc539313 Author: Nikolay Amiantov Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: A pkgs/os-specific/linux/cachefilesd/default.nix M pkgs/top-level/all-packages.nix Log Message: --- cachefilesd: init at 0.10.9 Commit: 0842bc94e5c46e351b748638cf36a5b382921d5f https://github.com/NixOS/nixpkgs/commit/0842bc94e5c46e351b748638cf36a5b382921d5f Author: Nikolay Amiantov Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M nixos/modules/module-list.nix A nixos/modules/services/network-filesystems/cachefilesd.nix Log Message: --- cachefilesd service: init Compare: https://github.com/NixOS/nixpkgs/compare/8cbdd9d0c290...0842bc94e5c4___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-dev] Proposal: Highly available security-specific trusted build infrastructure
Hi all, hydra.nixos.org is a wonderful community resource, but its broad scope and somewhat frequent downtime concerns me when it comes to security updates. As a supplemental service, I propose we have a service, hosted by a professional hosting company with 24/7 support and with multiple trusted community members having administrative access, dedicated to building only critical security updates and uploading them to the binary cache, with the intention that these be used with system.replaceRuntimeDependencies/pkgs.replaceDependency until hydra has had a chance to update the entire channel. This service could work via manual triggering by trusted users, github push notifications and commit message parsing (to get the relevant attributes to build), signed git commits, or some combination of these, and would *only* build the directly affected packages (e.g. only rebuild glibc for a glibc vulnerability, expecting users to use replaceDependency until hydra is caught up). If it turns out to be useful, it could spin up AWS build machines on demand to ensure a very rapid turnaround. Thoughts on this? I'm happy to help fund this significantly, but it loses a lot of its value if it doesn't directly upload to the nixos.org cache so I think it needs official support before following through. Thanks, Shea signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] [RFC] Reliable compiler specification setting (at least include/lib dirs) through the process environment
Hello GCC and Clang devs! Unlike the traditional approach of installing system libraries into one central location like /usr/{lib,include}, the nix package manager [1] installs each package into it's own prefix (e.g. /nix/store/mn9kqag3d24v6q41x747zd7n5qnalch7-zlib-1.2.8-dev). Moreover, each package is built in its own environment determined from its explicitly listed dependencies, regardless of what else is installed on the system. Because not all package build scripts properly respect CFLAGS etc., we currently wrap the compiler [2] to respect custom environment variables like NIX_CFLAGS_COMPILE, so during the build of a package that depends on zlib and Xlib might have NIX_CFLAGS_COMPILE set to "-isystem /nix/store/bl0rz2xinsm9yslghd7n5vaba86zxknh-libX11-1.6.3-dev/include -isystem /nix/store/mn9kqag3d24v6q41x747zd7n5qnalch7-zlib-1.2.8-dev/include". Unfortunately, as you can see if you click through the link or look through the git history, the wrapper is quite complex (frankly, hacky) and has evolved mostly through trial and error. Moreover, it's known to break things like response files [3] and is generally speaking a source of frustration. I believe the situation would be much improved if gcc and clang supported some form of "environment-specific" configuration, either through environment variables or, if absolutely necessary, command line flags that can be passed unconditionally (note, for example, that we currently parse the cc command line to see if we're going to do any linking before deciding to pass in linking-specific options) and clearly have the semantics we want. Ideally we would be able to specify something on the level of abstraction of "this directory should be treated like you would normally treat /usr" and get e.g. /include, /lib, frameworks on OS X, etc. handled properly. Would patches aimed at achieving this be considered for inclusion upstream? My current thought for a first step would be an environment variable specifying a file with command line flags that are ignored by the compiler driver in contexts where they are inapplicable or overridden by other command line flags, but I'm definitely open to guidance on how this should best be achieved from your perspective. I'm happy to do the work needed to get this in place if there is interest, please let me know! Thanks, Shea Levy [1]: https://nixos.org/nix [2]: https://github.com/NixOS/nixpkgs/blob/8cbdd9d0c290e294a9d783c8868e738db05c9ce2/pkgs/build-support/cc-wrapper/cc-wrapper.sh [3]: https://github.com/NixOS/nixpkgs/commit/a421e7bd4a28c69bded8b17888325e31554f61a1 signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] 8cbdd9: nixos/release-notes: move "PHP config-file-scan-di...
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 8cbdd9d0c290e294a9d783c8868e738db05c9ce2 https://github.com/NixOS/nixpkgs/commit/8cbdd9d0c290e294a9d783c8868e738db05c9ce2 Author: Bjørn ForsmanDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M nixos/doc/manual/release-notes/rl-1609.xml M nixos/doc/manual/release-notes/rl-1703.xml Log Message: --- nixos/release-notes: move "PHP config-file-scan-dir" from 16.09 to 17.03 Commits 351d12437 ("nixos/release-notes: PHP config-file-scan-dir /etc -> /etc/php.d") 41c8aa8d6 ("php: change config-file-scan-dir from /etc to /etc/php.d") were merged to master _after_ NixOS 16.09. Commit 351d12437 then wrongly updated the NixSO 16.09 release notes. Fix by moving the entry to NixOS 17.03. ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] f48a7c: linuxPackages.nvidia_x11: Remove us prefix from mi...
Branch: refs/heads/release-16.09 Home: https://github.com/NixOS/nixpkgs Commit: f48a7ca345d48130f24ae02e31240076ca28765f https://github.com/NixOS/nixpkgs/commit/f48a7ca345d48130f24ae02e31240076ca28765f Author: Graham ChristensenDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/linux/nvidia-x11/default.nix Log Message: --- linuxPackages.nvidia_x11: Remove us prefix from mirror At the time of the last upgrade, the new driver wasn't available on anything but their US mirror. Pinning to the US mirror isn't recommended or preferable, but I did it anyway to be able to get the upgrade out. (cherry picked from commit 634a098940396830f0f9cb6b38e6ac5f1e2f376e) ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 634a09: linuxPackages.nvidia_x11: Remove us prefix from mi...
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 634a098940396830f0f9cb6b38e6ac5f1e2f376e https://github.com/NixOS/nixpkgs/commit/634a098940396830f0f9cb6b38e6ac5f1e2f376e Author: Graham ChristensenDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/linux/nvidia-x11/default.nix Log Message: --- linuxPackages.nvidia_x11: Remove us prefix from mirror At the time of the last upgrade, the new driver wasn't available on anything but their US mirror. Pinning to the US mirror isn't recommended or preferable, but I did it anyway to be able to get the upgrade out. ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 924870: httpie: 0.9.3 -> 0.9.6
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 92487043aef07f620034af9caa566adecd4a252b https://github.com/NixOS/nixpkgs/commit/92487043aef07f620034af9caa566adecd4a252b Author: schneefuxDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/tools/networking/httpie/default.nix Log Message: --- httpie: 0.9.3 -> 0.9.6 Commit: 641fbb2140d5f594f751cda55159a0530a341a06 https://github.com/NixOS/nixpkgs/commit/641fbb2140d5f594f751cda55159a0530a341a06 Author: Tim Steinbach Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/tools/networking/httpie/default.nix Log Message: --- Merge pull request #19596 from schneefux/httpie httpie: 0.9.3 -> 0.9.6 Compare: https://github.com/NixOS/nixpkgs/compare/ba1744249406...641fbb2140d5___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 443d83: matrix-synapse: Pass required --report-stats opt
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 443d83394782c108e1c0d8ddf44c0b11dd180770 https://github.com/NixOS/nixpkgs/commit/443d83394782c108e1c0d8ddf44c0b11dd180770 Author: Ruben MaherDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M nixos/modules/services/misc/matrix-synapse.nix Log Message: --- matrix-synapse: Pass required --report-stats opt Commit: ba17442494063d41326d1f3c356f96b59641205a https://github.com/NixOS/nixpkgs/commit/ba17442494063d41326d1f3c356f96b59641205a Author: Graham Christensen Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M nixos/modules/services/misc/matrix-synapse.nix Log Message: --- Merge pull request #19591 from eqyiel/master matrix-synapse: Pass required --report-stats opt Compare: https://github.com/NixOS/nixpkgs/compare/25ea97585f44...ba1744249406___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] fddaeb: broadcom-sta: Support linux-4.8
Branch: refs/heads/release-16.09 Home: https://github.com/NixOS/nixpkgs Commit: fddaeb9dc616d1db91e4b79846bff40815942167 https://github.com/NixOS/nixpkgs/commit/fddaeb9dc616d1db91e4b79846bff40815942167 Author: Graham ChristensenDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/linux/broadcom-sta/default.nix Log Message: --- broadcom-sta: Support linux-4.8 (cherry picked from commit 37bc2c0bbff133ead4f99265f004d81dab9cb080) ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 37bc2c: broadcom-sta: Support linux-4.8
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 37bc2c0bbff133ead4f99265f004d81dab9cb080 https://github.com/NixOS/nixpkgs/commit/37bc2c0bbff133ead4f99265f004d81dab9cb080 Author: Graham ChristensenDate: 2016-10-15 (Sat, 15 Oct 2016) Changed paths: M pkgs/os-specific/linux/broadcom-sta/default.nix Log Message: --- broadcom-sta: Support linux-4.8 Commit: 25ea97585f44909e465a853032615e21f4999c3d https://github.com/NixOS/nixpkgs/commit/25ea97585f44909e465a853032615e21f4999c3d Author: Graham Christensen Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/os-specific/linux/broadcom-sta/default.nix Log Message: --- Merge pull request #19577 from grahamc/broadcom-sta-4.8 broadcom-sta: Support linux-4.8 Compare: https://github.com/NixOS/nixpkgs/compare/13293d108d25...25ea97585f44___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 1268d7: Document NixOS release process #4442
Branch: refs/heads/release-16.09 Home: https://github.com/NixOS/nixpkgs Commit: 1268d793282a81ca2fecef9422f36f6fce00d788 https://github.com/NixOS/nixpkgs/commit/1268d793282a81ca2fecef9422f36f6fce00d788 Author: Vladimír ČunátDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M nixos/doc/manual/development/development.xml A nixos/doc/manual/development/releases.xml Log Message: --- Document NixOS release process #4442 (Cherry-picked from bd11d5377ea4 and dadf6fc1d02.) http://nixos.org/nixos/manual/ shows the released version. ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 641a1e: git: enable credential-osxkeychain for darwin
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 641a1e433a20d0748775a3c9fd1c633f141ff279 https://github.com/NixOS/nixpkgs/commit/641a1e433a20d0748775a3c9fd1c633f141ff279 Author: dipinhoraDate: 2016-10-11 (Tue, 11 Oct 2016) Changed paths: M pkgs/applications/version-management/git-and-tools/git/default.nix Log Message: --- git: enable credential-osxkeychain for darwin Commit: 13293d108d256f2889019afa0c1ed8486c80952d https://github.com/NixOS/nixpkgs/commit/13293d108d256f2889019afa0c1ed8486c80952d Author: zimbatm Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/applications/version-management/git-and-tools/git/default.nix Log Message: --- Merge pull request #19459 from dipinhora/git-osxkeychain git: enable credential-osxkeychain for darwin Compare: https://github.com/NixOS/nixpkgs/compare/64b2205bf434...13293d108d25___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs]
Branch: refs/heads/roxterm-broken Home: https://github.com/NixOS/nixpkgs ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 0250b6: mark roxterm as broken
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 0250b647ae1e74803f341575449d334f6fe43f12 https://github.com/NixOS/nixpkgs/commit/0250b647ae1e74803f341575449d334f6fe43f12 Author: Aristid BreitkreuzDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/applications/misc/roxterm/default.nix Log Message: --- mark roxterm as broken Commit: e6ca8b03758952ffca5f87bb8c972eea901cc09c https://github.com/NixOS/nixpkgs/commit/e6ca8b03758952ffca5f87bb8c972eea901cc09c Author: Aristid Breitkreuz Date: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/applications/misc/roxterm/default.nix Log Message: --- Merge pull request #19592 from NixOS/roxterm-broken mark roxterm as broken Compare: https://github.com/NixOS/nixpkgs/compare/6a380c20e02e...e6ca8b037589___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 0250b6: mark roxterm as broken
Branch: refs/heads/roxterm-broken Home: https://github.com/NixOS/nixpkgs Commit: 0250b647ae1e74803f341575449d334f6fe43f12 https://github.com/NixOS/nixpkgs/commit/0250b647ae1e74803f341575449d334f6fe43f12 Author: Aristid BreitkreuzDate: 2016-10-16 (Sun, 16 Oct 2016) Changed paths: M pkgs/applications/misc/roxterm/default.nix Log Message: --- mark roxterm as broken ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits