Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix eval tries to create ~/.cache even with eval-cache disabled #12575

Open
2 tasks done
YorikSar opened this issue Feb 27, 2025 · 0 comments
Open
2 tasks done

nix eval tries to create ~/.cache even with eval-cache disabled #12575

YorikSar opened this issue Feb 27, 2025 · 0 comments
Labels
bug

Comments

@YorikSar
Copy link
Contributor

YorikSar commented Feb 27, 2025
edited
Loading

Describe the bug

During evaluation Nix tries to cache some things, creating $XDG_CACHE_HOME/nix to store them. With earlier releases of Nix, we could do evaluation with a homeless user by providing --option eval-cache false which was enough to stop Nix from doing that. Using latest versions of Nix, that is not enough, and whenever I try to eval an attribute from a flake, I get error:

error:
       … while fetching the input 'path:/nix/store/n02pfxwf6aagif7p8q0b9in8cmhmppnb-source'

       error: creating directory '/private/var/empty/.cache': Operation not permitted

Steps To Reproduce

I managed to only reproduce this on macOS.

  1. Create a user home set to /var/empty:

    sudo sysadminctl -addUser testuser -home /var/empty -shell /run/current-system/sw/bin/bash

  2. Clone some flake, for example Nix itself:

    git clone https://github.com/NixOS/nix.git

  3. Try evaluating a value from the flake using that user:

    echo "nix eval $(nix eval --impure --expr '(builtins.getFlake "git+file://'"$PWD"'").outPath')#packages.aarch64-darwin.nix --option eval-cache false" | sudo su - testuser

    Note that I copy the flake to Nix store to share it with the user, but it could be any shared path.

  4. Get the error mentioned before:

    error:
       … while fetching the input 'path:/nix/store/v3dmpb929wbfyimml3ypiish9n4kzpxh-source'

       error: creating directory '/var/empty/.cache/nix': Operation not permitted

I tried reproducing this issue using Linux VM via NixOS tests, but it appears to be specific to macOS.

Reproducing in NixOS test

I wrote test.nix like this:

{
  nixpkgs ? builtins.getFlake "github:NixOS/nixpkgs/nixos-23.11",
  pkgs ? nixpkgs.legacyPackages.${builtins.currentSystem},
  nixFlake ? "nix/2.21.0",
  nix ? (builtins.getFlake (builtins.toString nixFlake)).packages.${builtins.currentSystem}.nix,
}:
let
  lockFileText = builtins.toJSON {
    version = 7;
    root = "root";
    nodes.root.inputs.nixpkgs = "nixpkgs";
    nodes.nixpkgs = {
      locked = {
        inherit (nixpkgs) lastModified narHash rev;
        type = "github";
        owner = "NixOS";
        repo = "nixpkgs";
      };
      original = {
        id = "nixpkgs";
        type = "indirect";
      };
    };
  };
  aflake = pkgs.runCommandNoCC "aflake" {
    buildInputs = [pkgs.nix];
  } ''
    mkdir -p $out
    cat > $out/flake.nix <<EOF
    {
      outputs = {self, nixpkgs}: {
        v = 1;
      };
    }
    EOF
    cat > $out/flake.lock <<EOF
    ${lockFileText}
    EOF
  '';
in
pkgs.testers.runNixOSTest {
  name = "test";
  nodes.machine = {
    nix.settings = {
      extra-experimental-features = ["nix-command" "flakes"];
      eval-cache = false;
    };
    users.users.testuser = {
      group = "testuser";
      home = "/var/empty";
      isSystemUser = true;
      shell = pkgs.bash;
    };
    users.groups.testuser = {};
    virtualisation.writableStore = true;
  };
  testScript = ''
    machine.start()
    machine.wait_for_unit("default.target")
    machine.succeed("echo '${pkgs.lib.getExe nix} eval ${aflake}#v' | su - testuser")
  '';
}

And tried running it against the same versions that fail on macOS like this:

nix build --no-link -f ./test.nix --argstr nixFlake git+file://$PWD\?rev=9b8e0a7790f468689caffa703319438b31519f6e

And it succeeded. Note that if I remove eval-cache = false; in the config, it fails on cache creationg as expected.

Expected behavior

The flake should evaluate without ~/.cache available.

Metadata

Additional context

I've tried bisecting Nix repo between 2.20 and 2.21 branch points, as 2.21 seems to be the first release with this issue. I used this script to test commits:

#!/usr/bin/env bash
set -ueo pipefail

getnix() {
    nix="$(nix build --no-link --print-out-paths .#nix^out)"
}
if ! getnix; then
    exit 125
fi
echo "${nix}/bin/nix eval /nix/store/v3dmpb929wbfyimml3ypiish9n4kzpxh-source#packages.aarch64-darwin.nix --option eval-cache false" | sudo su - testuser

Note that if Nix fails to build, I tell git bisect to skip the commit using exit code 125.

Here's the resulting log of the bisection:

git bisect log 
# bad: [72e145e415c5dac7d2557ef615784bcc9bf69f64] Merge pull request #10226 from edolstra/release-notes
# good: [9b8e0a7790f468689caffa703319438b31519f6e] Merge pull request #9877 from edolstra/release-notes
git bisect start '--first-parent' '72e145e41' '9b8e0a779'
# good: [774e7ca5847ebc392eac2a124a8f12b24da4f65a] Merge pull request #9914 from 9999years/debugger-on-trace
git bisect good 774e7ca5847ebc392eac2a124a8f12b24da4f65a
# skip: [6b976a1898cb1f6688da66725a8182279d83c0fa] Merge pull request #10143 from fricklerhandwerk/test-help
git bisect skip 6b976a1898cb1f6688da66725a8182279d83c0fa
# skip: [739f53aca4f7971165150b910061903c7d015ca6] Revert "Fix sudo in the darwin installer (#10128)"
git bisect skip 739f53aca4f7971165150b910061903c7d015ca6
# good: [d83008c3a797c8e4ec1e1a97c5b1bc5e6b02c561] documentation: clarify genericClosure (#10003)
git bisect good d83008c3a797c8e4ec1e1a97c5b1bc5e6b02c561
# skip: [67f95755d60a053c59c927e4c0716386cd3f5945] Merge pull request #10155 from NixOS/warn-against-changing-profile-version-number
git bisect skip 67f95755d60a053c59c927e4c0716386cd3f5945
# skip: [7764edf0e4f3dcf5f16e8436cc6f9e6984d1f467] Merge pull request #10078 from szlend/fix-macos-local-network-sandbox
git bisect skip 7764edf0e4f3dcf5f16e8436cc6f9e6984d1f467
# skip: [1ffcbddf62824475257da2e58b2047e87f5287c8] docs: add inherit to language overview (#10194)
git bisect skip 1ffcbddf62824475257da2e58b2047e87f5287c8
# skip: [73cf23275ecb44ac20bef00a5f731329f1ee4a7e] Merge pull request #10107 from tweag/repl-file-argument
git bisect skip 73cf23275ecb44ac20bef00a5f731329f1ee4a7e
# skip: [ef5cb446083a164b5eab2722224b716c8dd3afc7] Merge pull request #10197 from edolstra/github-treehash
git bisect skip ef5cb446083a164b5eab2722224b716c8dd3afc7
# good: [0a11080c58660f12b1183f47530f65d0a3db08b5] Merge pull request #10172 from lf-/jade/fix-9725
git bisect good 0a11080c58660f12b1183f47530f65d0a3db08b5
# skip: [a7b3249d68feb7a3663c1738b52a873ac756fa06] Merge pull request #10179 from edolstra/upload-release
git bisect skip a7b3249d68feb7a3663c1738b52a873ac756fa06
# skip: [38b79da1005545003f4d40eaaec794f5de6eb74f] Merge pull request #10149 from edolstra/use-flake-fingerprint
git bisect skip 38b79da1005545003f4d40eaaec794f5de6eb74f
# skip: [61b006ddf644f9a477c4654916069ac0b3786f54] Merge pull request #10174 from tweag/disable-failing-hydra-jobs
git bisect skip 61b006ddf644f9a477c4654916069ac0b3786f54
# skip: [bd828b19372e3c95282bdd9befde00cff91b28d2] Merge pull request #10150 from edolstra/always-upgrade-unlocked-flakerefs
git bisect skip bd828b19372e3c95282bdd9befde00cff91b28d2
# skip: [cb7ee1af89d9c4928f9309e7fc5497cb28db511f] Merge pull request #10175 from tweag/disable-i686-perl-bindings
git bisect skip cb7ee1af89d9c4928f9309e7fc5497cb28db511f
# bad: [ac730622e81336f42961cebea0f69bc637127ea4] document where the value of `builtins.nixPath` comes from (#9113)
git bisect bad ac730622e81336f42961cebea0f69bc637127ea4
# bad: [751cb7cf51d9dcdb0391a3ef0e7a0fe038fb1f90] Merge pull request #10178 from tweag/copy-built-outputs
git bisect bad 751cb7cf51d9dcdb0391a3ef0e7a0fe038fb1f90
# skip: [7d76bc8a39173e246f11ecd8f58f0afe17dc3bbb] Merge pull request #10152 from edolstra/fetcher-cleanups
git bisect skip 7d76bc8a39173e246f11ecd8f58f0afe17dc3bbb
# skip: [f175b3a4b755d1955787d66bbf8e2ee483f2b192] Revert "`install-multi-user.sh`: `_sudo`: add proxy variables to sudo"
git bisect skip f175b3a4b755d1955787d66bbf8e2ee483f2b192
# skip: [454456209f92007a896edb48634083fd7f4a34ad] Merge pull request #10165 from link2xt/patch-1
git bisect skip 454456209f92007a896edb48634083fd7f4a34ad
# skip: [da62528487853346bb5749777719b74e0e33045f] Merge pull request from GHSA-2ffj-w4mj-pg37
git bisect skip da62528487853346bb5749777719b74e0e33045f
# skip: [fb37e184a5750826db4895fb1eef79d8293482d3] Merge pull request #10176 from NixOS/relative-path-fingerprint
git bisect skip fb37e184a5750826db4895fb1eef79d8293482d3
# only skipped commits left to test
# possible first bad commit: [751cb7cf51d9dcdb0391a3ef0e7a0fe038fb1f90] Merge pull request #10178 from tweag/copy-built-outputs
# possible first bad commit: [a3163b9eabb952b4aa96e376dea95ebcca97b31a] Fix the outputs moving on macOS
# possible first bad commit: [fb37e184a5750826db4895fb1eef79d8293482d3] Merge pull request #10176 from NixOS/relative-path-fingerprint
# possible first bad commit: [0282499e183c3a7aa4aa263b242f4ddcb401220f] PathInputScheme::getFingerprint(): Don't barf on relative paths
# possible first bad commit: [da62528487853346bb5749777719b74e0e33045f] Merge pull request from GHSA-2ffj-w4mj-pg37
# possible first bad commit: [454456209f92007a896edb48634083fd7f4a34ad] Merge pull request #10165 from link2xt/patch-1
# possible first bad commit: [7d76bc8a39173e246f11ecd8f58f0afe17dc3bbb] Merge pull request #10152 from edolstra/fetcher-cleanups
# possible first bad commit: [bd828b19372e3c95282bdd9befde00cff91b28d2] Merge pull request #10150 from edolstra/always-upgrade-unlocked-flakerefs
# possible first bad commit: [38b79da1005545003f4d40eaaec794f5de6eb74f] Merge pull request #10149 from edolstra/use-flake-fingerprint
# possible first bad commit: [f175b3a4b755d1955787d66bbf8e2ee483f2b192] Revert "`install-multi-user.sh`: `_sudo`: add proxy variables to sudo"
# possible first bad commit: [739f53aca4f7971165150b910061903c7d015ca6] Revert "Fix sudo in the darwin installer (#10128)"
# possible first bad commit: [73cf23275ecb44ac20bef00a5f731329f1ee4a7e] Merge pull request #10107 from tweag/repl-file-argument
# possible first bad commit: [fe13d4a6e0d286d0ab8fcd8728bd41064dad69d0] Make search.nixos.org link in quick start clickable
# possible first bad commit: [0e07f81d2ba532e140539e91b57d6f85c952fee2] Fetcher cleanups
# possible first bad commit: [32bf39c73a9681317c4288aab16038dc6b401900] nix flake metadata: Don't show locked URL if it's not locked
# possible first bad commit: [2306e967674a7016c556e90e94e5f1e80171892a] nix profile upgrade: Always upgrade unlocked flakerefs
# possible first bad commit: [6558da45f5497eb54cc42866f81a3660862056ff] LockedFlake::getFingerprint(): Use Input::getFingerprint()
# possible first bad commit: [29049d26533fb9077b0214fad276804784e02e45] Implement getFingerprint() for store paths
# possible first bad commit: [2f0bc6373ce1cc62f6b0ec955a227762904a66df] Don't fail if a flakeref directly points to the flake.nix
# possible first bad commit: [11a1dcc43b3830dc25319719bccc71572136c57d] Properly fail on flakerefs that don't point to a directory
# possible first bad commit: [cd9baa18093cf863a852334721ea972bcd0c5902] Add release notes
# possible first bad commit: [65b79c52c66643a04bd9eb69b92d7e5c5587ca64] Fix a typo in a test comment
# possible first bad commit: [c3878f510ec12ca6bf24505989e7463249dab61a] Copy the output of fixed-output derivations before registering them
# possible first bad commit: [a55c6a0f4749084a5d85bb90a2de2b08349b6f37] Add a NixOS test for the sandbox escape

At a glance I can't see which of these could trigger such issue.

Checklist

Add 👍 to issues you find important.
@YorikSar YorikSar added the bug label Feb 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@YorikSar