search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.42k stars 13.63k forks source link

nixos/hardened: coreutils check fails in nix build #287194

Open MrQubo opened 7 months ago

MrQubo commented 7 months ago

Steps To Reproduce

Steps to reproduce the behavior:

  1. build coreutils

Build log

id: cannot find name for group ID 30000
separator.sh: set-up failure:
ERROR tests/chown/separator.sh (exit status: 99)

Additional context

Seems like the same issue happens in logrotate as well: https://github.com/NixOS/nix/issues/8502

Notify maintainers

@dasJ

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.75-hardened1, NixOS, 24.05 (Uakari), 24.05pre580425.faf912b08657`
 - multi-user?: `no`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - channels(nix): `""`
 - channels(root): `"home-manager, nixos, nixos-hardware, nur"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a :+1: reaction to issues you find important.

Atemu commented 7 months ago

Have you enabled dynamic UID allocation in Nix?

jackwilsdon commented 7 months ago

I can only reproduce this with hardening enabled (seems like @MrQubo also has it enabled from their metadata). Some related threads on Discourse:

Atemu commented 7 months ago

The appropriate maintainers to ping are @joachifm @emilazy then.

reidlabwastaken commented 6 months ago

Happens to me too - broke somewhere between nixpkgs commits 842d9d80cfd4560648c785f8a4e6f3b096790e19 and 1536926ef5621b09bba54035ae2bb6d806d72ac8 it looks like (my nixpkgs rev before error and after)

Atemu commented 6 months ago

@reidlabwastaken could you bisect?

reidlabwastaken commented 6 months ago

@reidlabwastaken could you bisect?

I don't think I have the hardware good enough for that - sorry (raspberry pi 4)

Atemu commented 6 months ago

@reidlabwastaken the RPI4 isn't fast by any means but it can still compile software. coreutils isn't a very intensive build; takes about 6min on an x86 machine 1.6 times as fast as an RPI4.

Make sure you exclude staging commits by running a first-parent bisect; building the stdenv is certainly beyond what is reasonable for a RPI4.

alexkireeff commented 3 months ago

I tried building coreutils using 842d9d80cfd4560648c785f8a4e6f3b096790e19 using a hardened profile and it failed with the same error, when I run sudo sysctl kernel.unprivileged_userns_clone=1 the build succeeds, so the issue is likely this line of the hardened profile.

I think this is the same underlying problem as this.

There is a similar issue here: https://github.com/NixOS/nix/issues/6898