[Nix-commits] [NixOS/nixops] 8f4a67: Add deployment.keys..destDir and deployment.key...

[Kosyrev Serge]

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixops
  Commit: 8f4a67ca591f9d127344bca3ecd752d3d97a716d
  
https://github.com/NixOS/nixops/commit/8f4a67ca591f9d127344bca3ecd752d3d97a716d
  Author: Kosyrev Serge <deepf...@users.noreply.github.com>
  Date:   2017-05-22 (Mon, 22 May 2017)

  Changed paths:
M nix/auto-luks.nix
M nix/keys.nix
M nixops/backends/__init__.py
A tests/functional/single_machine_elsewhere_key.nix
M tests/functional/test_send_keys_sends_keys.py

  Log Message:
  ---
  Add deployment.keys..destDir and deployment.keys..path (#664)

* deployment.keys:  Add a 'destination' option to override their default 
'/run/keys' target location

* keys..destinationFolder:  add a test

* destinationFolder -> destDir

* deploment.keys.*.destDir can't be null

* Fix #646 to add .path property to keys


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] [NixOS/nixops] d4ac7d: PoC | tests: add a libvirtd backend test (#668)

[Kosyrev Serge]

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixops
  Commit: d4ac7d53f65d8b79b848f6bfb6cb7d943e88a931
  
https://github.com/NixOS/nixops/commit/d4ac7d53f65d8b79b848f6bfb6cb7d943e88a931
  Author: Kosyrev Serge <deepf...@users.noreply.github.com>
  Date:   2017-05-18 (Thu, 18 May 2017)

  Changed paths:
A tests/functional/single_machine_libvirtd_base.nix
M tests/functional/single_machine_test.py

  Log Message:
  ---
  PoC | tests:  add a libvirtd backend test (#668)

* tests:  add a libvirtd backend test

It's rather convenient to be able to run nixops tests locally, using libvirtd.

* single_machine_test.py:  switch string interpol to .format()


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] [NixOS/nixops] b2fdc4: deployment.keys: Add a 'keyFile' option to provid...

[Kosyrev Serge]

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixops
  Commit: b2fdc4384f4ad48dadfaad16b42b9dd739d53226
  
https://github.com/NixOS/nixops/commit/b2fdc4384f4ad48dadfaad16b42b9dd739d53226
  Author: Kosyrev Serge <deepf...@users.noreply.github.com>
  Date:   2017-05-15 (Mon, 15 May 2017)

  Changed paths:
M nix/keys.nix
M nixops/backends/__init__.py

  Log Message:
  ---
  deployment.keys:  Add a 'keyFile' option to provide keys from local files, 
rather than from text literals. (#661)


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] [NixOS/nixpkgs] 38b2e2: virtualbox: a more maintenance-free way of patchi...

[Kosyrev Serge]

  Branch: refs/heads/release-17.03
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 38b2e27c15a353f8e7cf635b925671f17e39b0e5
  
https://github.com/NixOS/nixpkgs/commit/38b2e27c15a353f8e7cf635b925671f17e39b0e5
  Author: Kosyrev Serge <_deepf...@feelingofgreen.ru>
  Date:   2017-03-28 (Tue, 28 Mar 2017)

  Changed paths:
M pkgs/applications/virtualization/virtualbox/default.nix

  Log Message:
  ---
  virtualbox:  a more maintenance-free way of patching refs to 
dlopen()-affected dependencies

(cherry picked from commit 0c3138e6021dbca615d1f0efd0f3c6a2558d6f48)


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] [NixOS/nixpkgs] 0c3138: virtualbox: a more maintenance-free way of patchi...

[Kosyrev Serge]

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 0c3138e6021dbca615d1f0efd0f3c6a2558d6f48
  
https://github.com/NixOS/nixpkgs/commit/0c3138e6021dbca615d1f0efd0f3c6a2558d6f48
  Author: Kosyrev Serge <_deepf...@feelingofgreen.ru>
  Date:   2017-03-28 (Tue, 28 Mar 2017)

  Changed paths:
M pkgs/applications/virtualization/virtualbox/default.nix

  Log Message:
  ---
  virtualbox:  a more maintenance-free way of patching refs to 
dlopen()-affected dependencies


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

Re: [Nix-dev] How do you work on big packages?

[Kosyrev Serge]

Dmitry Kalinkin writes:
>  On 17 Mar 2017, at 17:44, Vladimír Čunát  wrote:
>
>  I do believe the intention was for "SW distribution" etc, at least
>  primarily, and the suitability for development is a by-product due to
>  some properties, e.g. easy (non-)mixing of development and stable
>  versions/configs. Marc can surely remember the earlier days of NixOS.
>
> So nix has “nix copy” functionality to do the distribution part. But the rest 
> of the nix system allows to describe a
> relatively general computation process in Unix-like environment. I use nix 
> derivations to run a numerical
> calculation code and store intermediate steps in outputs. I imagine, there 
> are some “SW distribution”-oriented
> users facing more resistance when using nix than me doing my thing. I also 
> think that the nix/NixOS community
> will have lots of people who appreciate generality of nix as a tool.
>
>  It's even possible to use nix-build instead of make to compile
>  individual files, but there it just doesn't seem to be very suitable…
>
> Yes. Like https://github.com/edolstra/nix-make . I wonder what didn’t work 
> out.

Garbage management becomes complicated from a human perspective, I guess.

Perhaps, Nix could adopt a generational GC approach, to avoid mixing
long-lived packages-related-files and short-lived build-related files..

-- 
с уважениeм / respectfully,
Косырев Сергей
--
“Most deadly errors arise from obsolete assumptions.”
  -- Frank Herbert, Children of Dune
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-commits] [NixOS/nixpkgs] 2841d8: nvidia_x11: 375.26 -> 375.39

[Kosyrev Serge]

  Branch: refs/heads/release-17.03
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 2841d8b2b931e35c0f39e14f1d5d2b9edbf67f1d
  
https://github.com/NixOS/nixpkgs/commit/2841d8b2b931e35c0f39e14f1d5d2b9edbf67f1d
  Author: Cray Elliott <m...@archlinux.us>
  Date:   2017-03-19 (Sun, 19 Mar 2017)

  Changed paths:
M pkgs/os-specific/linux/nvidia-x11/default.nix

  Log Message:
  ---
  nvidia_x11: 375.26 -> 375.39

nvidia_x11_beta: 378.09 -> 378.13

(cherry picked from commit 12083de992057d55a575a36965260d0c153bc13a)


  Commit: 7b200151e62c011e6ef4428b53bd822f19346ee8
  
https://github.com/NixOS/nixpkgs/commit/7b200151e62c011e6ef4428b53bd822f19346ee8
  Author: Cray Elliott <m...@archlinux.us>
  Date:   2017-03-19 (Sun, 19 Mar 2017)

  Changed paths:
M pkgs/os-specific/linux/nvidia-x11/generic.nix

  Log Message:
  ---
  nvidia_x11_beta: add patch to support Linux 4.10.x

thanks to bendlas for the review for pointing out a way to grab the patch 
remotely!

(cherry picked from commit 8799254eac48f8b351aef941f3ff330e309ab150)


  Commit: b2a97cadd10e4188063f97b7cc9ceeb3e4afaaf8
  
https://github.com/NixOS/nixpkgs/commit/b2a97cadd10e4188063f97b7cc9ceeb3e4afaaf8
  Author: Kosyrev Serge <_deepf...@feelingofgreen.ru>
  Date:   2017-03-19 (Sun, 19 Mar 2017)

  Changed paths:
M pkgs/os-specific/linux/nvidia-x11/generic.nix

  Log Message:
  ---
  nvidia-x11:  don't patch things if libsOnly requested

(cherry picked from commit d18f55269c3a0d83c0c34875b6047adb12e4b581)


  Commit: 80cff1f3ca7b19cf80e019c6721a15efb812ebd0
  
https://github.com/NixOS/nixpkgs/commit/80cff1f3ca7b19cf80e019c6721a15efb812ebd0
  Author: Kosyrev Serge <_deepf...@feelingofgreen.ru>
  Date:   2017-03-19 (Sun, 19 Mar 2017)

  Changed paths:
M pkgs/os-specific/linux/nvidia-x11/builder.sh

  Log Message:
  ---
  nvidia-x11:  $bin can be empty

(cherry picked from commit d860a68fd0f203983a734094ef6eb78707c586c2)


Compare: https://github.com/NixOS/nixpkgs/compare/39332aaecf21...80cff1f3ca7b___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] [NixOS/nixpkgs] 4f8b40: quodlibet: rename to quodlibet, quodlibet-without...

[Kosyrev Serge]

  Branch: refs/heads/master
  Home:   https://github.com/NixOS/nixpkgs
  Commit: 4f8b4069e5dbfdb319fa394f0f3b3fa9aa10d673
  
https://github.com/NixOS/nixpkgs/commit/4f8b4069e5dbfdb319fa394f0f3b3fa9aa10d673
  Author: Kosyrev Serge <skosy...@ptsecurity.com>
  Date:   2017-01-25 (Wed, 25 Jan 2017)

  Changed paths:
M pkgs/applications/audio/quodlibet/default.nix
M pkgs/top-level/all-packages.nix

  Log Message:
  ---
  quodlibet:  rename to quodlibet, quodlibet-without-gst-plugins

The gst-plugin-less version is barely useful out of the box, so it is
the one that should be relegated to a less prominent spot in the namespace.


___
nix-commits mailing list
nix-comm...@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-commits

Re: [Nix-dev] List of companies using NixOS

[Kosyrev Serge]

Our company, Positive Technologies, uses dockerized Nix to compose
fine-tuned environments for development of bare-metal security software.

-- 
с уважениeм / respectfully,
Косырев Сергей
--
“Most deadly errors arise from obsolete assumptions.”
  -- Frank Herbert, Children of Dune
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Seemingly inexplicable proliferation of gcc/glibc runtimes

[Kosyrev Serge]

Kosyrev Serge <_deepf...@feelingofgreen.ru> writes:
> What I see is this:

Whoops!  I'm afraid last minute changes slightly broke formatting..

Here goes the fixed version:

[deepfire@andromedae:~]$ nix-analyze-rootlike glibc; echo; nix-analyze-rootlike 
gcc
; analyzing "/nix/store/*-glibc-*" (minus noise)
referrers   | disc  | correlation to profile
closure direct  | size  | user  system
1073807 | 22M   | 109   25  
/nix/store/dad9vxniabwzidvvxfsfj6vb0xncsbbb-glibc-2.23
210 165 | 22M   | 0 0   
/nix/store/phffgv3pwihmpdyk8xsz3wv8ydysch8w-glibc-2.23
159 22  | 34M   | 0 0   
/nix/store/i0l0jjkk82wsqz9z5yhg35iy78bjq684-glibc-2.21
5   5   | 22M   | 0 0   
/nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21

; analyzing "/nix/store/*-gcc-*" (minus noise)
referrers   | disc  | correlation to profile
closure direct  | size  | user  system
388 10  | 116M  | 428   
/nix/store/scfqn9hsh9k1b0j1y1znzrkr2a5k-gcc-5.4.0
148 5   | 91M   | 0 0   
/nix/store/cpv8pyc772cx0spzz76sa6dvsf6555dh-gcc-4.8.4
7   2   | 116M  | 0 0   
/nix/store/l8y2srrkp5fflwph7vq0gllj1k1ai17w-gcc-5.3.0


-- 
с уважениeм / respectfully / Z poważaniem,
Косырев Сергей
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Seemingly inexplicable proliferation of gcc/glibc runtimes

[Kosyrev Serge]

Good day!

I am trying to understand the reasons for the multiplicity of glibc/gcc
runtimes installed on my NixOS system -- on fresh nixpkgs master (434f9d1).

The status quo is a system with:

 - a single system profile (system-290-link)
 - a single user profile (profile-483-link)
 - an empty root user profile (default-4-link)

,
| deepfire@andromedae:~]$ nix-store --gc --print-roots
| /nix/var/nix/profiles/default-4-link -> 
/nix/store/vvm18ixrgpn9zgzp5h3lkiyx6rqfj3qn-user-environment
| /nix/var/nix/profiles/per-user/deepfire/profile-483-link -> 
/nix/store/bg1z2vwb28my9grrpnc192a3c3sq3l8d-user-environment
| /nix/var/nix/profiles/system-290-link -> 
/nix/store/y79r2dj7qymfhi9zdirdpfppbv4jbzqp-nixos-system-andromedae-16.09.git.434f9d1
| /run/booted-system -> 
/nix/store/y79r2dj7qymfhi9zdirdpfppbv4jbzqp-nixos-system-andromedae-16.09.git.434f9d1
| /run/current-system -> 
/nix/store/y79r2dj7qymfhi9zdirdpfppbv4jbzqp-nixos-system-andromedae-16.09.git.434f9d1
`

Additionally:

 1. everything in the user environment was passed through 'nix-env --upgrade 
--leq --always',
so it ought to be completely synchronized with nixpkgs=434f9d1

 2. the booted system environment == the current system environment, as
it can be seen

 3. there seems to be no pinned custom environments that I could find --
not that I ever made one, actually

 4. nix-store --gc, obviously

What I see is this:

,
| [deepfire@andromedae:~]$ nix-analyze-rootlike glibc; nix-analyze-rootlike gcc
| ; analyzing "/nix/store/*-glibc-*" (minus noise)
| referrers | disc  | correlation to profile
| closure   direct  | size  | user  system
| 1073  807 | 22M   | 109   25  
/nix/store/dad9vxniabwzidvvxfsfj6vb0xncsbbb-glibc-2.23
| 210   165 | 22M   | 0 0   
/nix/store/phffgv3pwihmpdyk8xsz3wv8ydysch8w-glibc-2.23
| 159   22  | 34M   | 0 0   
/nix/store/i0l0jjkk82wsqz9z5yhg35iy78bjq684-glibc-2.21
| 5 5   | 22M   | 0 0   
/nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21
| ; analyzing "/nix/store/*-gcc-*" (minus noise)
| referrers | disc  | correlation to profile
| closure   direct  | size  | user  system
| 388   10  | 116M  | 428   
/nix/store/scfqn9hsh9k1b0j1y1znzrkr2a5k-gcc-5.4.0
| 148   5   | 91M   | 0 0   
/nix/store/cpv8pyc772cx0spzz76sa6dvsf6555dh-gcc-4.8.4
| 7 2   | 116M  | 0 0   
/nix/store/l8y2srrkp5fflwph7vq0gllj1k1ai17w-gcc-5.3.0
`

The tools used to generate this are at 
https://github.com/deepfire/nix-store-analysis:

   - 
https://github.com/deepfire/nix-store-analysis/blob/master/nix-analyze-rootlike
   - 
https://github.com/deepfire/nix-store-analysis/blob/master/nix-correlate-rootlike-to-current-userenv
   - 
https://github.com/deepfire/nix-store-analysis/blob/master/nix-correlate-rootlike-to-system

The basic idea is to take a store path, and correlate its referrer
closure with the "leaf set" of store paths, where "leaf set" consists
of:
   - system packages:   nix-store --query --references 
/nix/var/nix/profiles/system
   - user packages: nix-env --query --installed --out-path

As it can be seen, there are three glibc and two gcc store paths that
are obviously involved, yet inexplicable -- given the above model, and
the contents of the "About the package zoo" section below.

  *   *   *

Probing a simple case
=

Looking at the simplest case (the glibc with smallest --referrers-closure) 
provides the following picture:

[deepfire@andromedae:~]$ nix-store --query --referrers-closure 
/nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21
/nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21
/nix/store/5m6i1h71xp6r7k381hrsv5qwn3s6b93h-libXau-1.0.8
/nix/store/kx1l6yis70h9sly7cs4b95jq0j8yxjqr-libXdmcp-1.1.2
/nix/store/bxsi9xrrfc0qw3ndys83rppwqxbn33ma-libxcb-1.11.1
/nix/store/62bmpi8kll9kj8il89kdaddvzib3r4pm-libX11-1.6.3

Why would these be used anywhere on their own?

How are we supposed to understand what is going on?

Should I file a ticket?

-- 
с уважениeм / respectfully / Z poważaniem,
Косырев Сергей
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09

[Kosyrev Serge]

rocon...@theorem.ca writes:
> I am using the following expression which I believe will build a patched 
> version of glibc locally, and then build a patched NixOS derivation.
>
> system.replaceRuntimeDependencies = with pkgs.lib;
>   [{original = pkgs.glibc; replacement = 
> pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = 
> oldAttr.patches ++
> [(pkgs.fetchurl { url = 
> "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch;;
>   sha256 = 
> "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})];
>});}
>   ];
>
> I didin't time it, but I think it took around 25 minutes to update my 
> desktop machine this way.  Good luck everyone.

For those of us who aren't that fluent in Nix idioms -- could you
provide a quick summary of how you manage to achieve the seemingly
impossible?

Normally, one would expect that updating glibc would cause a full system
rebuild, but in your case it's obviously not the case.

And lastly -- is this somehow related to the techniques proposed for
providing NixOS with security updates?

-- 
с уважениeм / respectfully,
Косырев Сергей
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Using nix-shell in messy trees with symlinks and binary files

[Kosyrev Serge]

Good day, folks!

What I'm seeing is a rather disturbingly odd, context-depenent behavior of 
nix-shell:

,
| [deepfire@andromedae:~/src/foo]$ nix-shell default.nix
 
| warning: dumping very large path (> 256 MiB); this may run out of memory
| error: file ‘/home/deepfire/src/foo/generated/rootfs/chroot/dev/fuse’ has an 
unsupported type
| (use ‘--show-trace’ to show detailed location information)
| 
| [deepfire@andromedae:~/src/foo]$ mv default.nix scripts/
| 
| [deepfire@andromedae:~/src/foo]$ nix-shell scripts/default.nix 
| 
| [nix-shell:~/src/foo]$ 
`

The directory structure, indeed, has some oddities -- device files,
symlink loops, this kind of stuff.

Consideration that nix-shell tries to compute some.. hash.. out of it all,
sends shivers down my spine.  That's a lot of stuff to hash through.

If this theory is, indeed, correct, what would be the way to make
nix-shell disregard certain paths from the equation?

-- 
с уважениeм,
Косырев Сергей
руководитель отдела технологий виртуализации
Positive Technologies
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] ghcHEAD broken?

[Kosyrev Serge]

Peter Simons sim...@cryp.to writes:
 Hi Kosyrev,

   I'm trying to replicate the fix for ghcNokinds, but the determinism
   two-liner doesn't seem to be enough on its own.

 I'm would expect that adding the files VERSION and GIT_COMMIT_ID to the
 source tree would suffice. The build logs says:

   checking for GHC version date... configure: WARNING: cannot determine 
 snapshot
 version: no .git directory and no VERSION file
   checking for GHC Git commit id... configure: WARNING: cannot determine 
 snapshot
 revision: no .git directory and no 'GIT_COMMIT_ID' file
  
 Apparently, the build process respects those files, no? What exactly
 happens when you compile the nokinds GHC that way and try to use it?

Sure, that's why I've adopted your determinism two-liner:

,
|postUnpack = ''
|  pushd ghc-${builtins.substring 0 7 rev}
| +echo ${version} VERSION
| +echo ${rev} GIT_COMMIT_ID
|  patchShebangs .
|  ./boot
|  popd
`

..which still fails like this:

,
| [deepfire@andromedae:~/src/moodel]$ nix-store --realise 
/nix/store/0bfz38ci1ayslcxzc8dj5wc4i4fvbi6v-ghc-nokinds-7.11.20150718.drv
| these derivations will be built:
|   /nix/store/0bfz38ci1ayslcxzc8dj5wc4i4fvbi6v-ghc-nokinds-7.11.20150718.drv
| building path(s) 
‘/nix/store/kyqccq06a75wms3kklc9cykvn68bfp2c-ghc-nokinds-7.11.20150718’
| created 39 symlinks in user environment
| ghc-pkg: 
/nix/store/kyqccq06a75wms3kklc9cykvn68bfp2c-ghc-nokinds-7.11.20150718/lib/ghc-7.11.20150718/package.conf.d/package.cache:
 you don't have permission to modify this file
| builder for 
‘/nix/store/0bfz38ci1ayslcxzc8dj5wc4i4fvbi6v-ghc-nokinds-7.11.20150718.drv’ 
failed with exit code 1
`

..but I've also noticed, that you have also bumped the ghcHEAD version,
and so I wondered if this made part of the difference..

-- 
respectfully,
Косырев Серёга
--
“And those who were seen dancing were thought to be insane
 by those who could not hear the music.”
 – Friedrich Wilhelm Nietzsche
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev