Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github DynamicUser cannot access nix-daemon #473

Closed
siriobalmelli opened this issue Jul 31, 2024 · 4 comments
Closed

github DynamicUser cannot access nix-daemon #473

siriobalmelli opened this issue Jul 31, 2024 · 4 comments

Comments

@siriobalmelli
Copy link

Running the following workflow file: https://github.com/siriobalmelli-foss/ci-test/blob/main/.github/workflows/aarch64-nix.yml

With the following role config:

  roles.github-actions-runner = {
    url = "https://github.com/siriobalmelli-foss";
    count = 1;
    name = "ghrunner";
    githubApp = {
      id = "<ELIDED>";
      login = "<ELIDED>";
      privateKeyFile = config.sops.secrets.github.path;
    };
    cachix.cacheName = "siriobalmelli-nixpkgs";
    cachix.tokenFile = config.sops.secrets.cachix.path;
  };

Gives the following error:

user 'ghrunner-1' is not allowed to connect to the Nix daemon

I can work around this by adding:

nix.settings.allowed-users = ["ghrunner-1"];

I'm pretty sure the DynamicUser being created should be able to access nix-daemon, correct?

I'm unsure however whether I would try to rework

srvos/nixos/modules/github-runners/default.nix

Line 58 in 1f867a5

systemd.services = flip mapAttrs' cfg (
so that it adds an entry to nix.settings.allowed-users or whether I should take another approach; any suggestions welcome.

For context, this seems related to #50
@SuperSandro2000
Copy link
Member

I'm pretty sure the DynamicUser being created should be able to access nix-daemon, correct?

That depends on the start order of the services. I think nix-daemon somehow only recognizes users that existed before it started. Generally I just remove all DynamicUsers that want to talk to the nix-daemon because of hard and seemingly time wasting bugs like this.

@siriobalmelli
Copy link
Author

@SuperSandro2000 I see, thank you.

@zimbatm from looking at #50 it seems DynamicUser is being used for security reasons.

The use case I'm trying to support is GitHub runners which can run (and cache locally in their nix store) eg nix flake check, on aarch64 and x86_64.

Any suggestions what the best way forward would be? Once I better understand the correct approach I'm happy to file a PR.

@zimbatm
Copy link
Member

zimbatm commented Aug 5, 2024

What supersandro suggested. Or add a dependency to the nix-daemon.service on this one to ensure the loading order.

Most of our work is now going into https://github.com/nix-community/buildbot-nix, so this module will probably need to be removed at some point.

@siriobalmelli siriobalmelli mentioned this issue Aug 6, 2024
Closed
@siriobalmelli
Copy link
Author

Never mind, in the end I dropped srvos entirely and used nixpkgs github-runner directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimbatm @SuperSandro2000 @siriobalmelli