Nix daemon default allowed_users not working with wsl update

[Pleune]

I just updated a bunch of windows stuff, including to WSL 2.2.4.0:

WSL version: 2.2.4.0
Kernel version: 5.15.153.1-2
WSLg version: 1.0.61
MSRDC version: 1.2.5326
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26091.1-240325-1447.ge-release
Windows version: 10.0.22631.4037

And my previously working nix config, as well as updating to the current commit (WSL cc84991 and nixpkgs c04d5652) now no longer lets me run nix commands without sudo, with the error error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused

I don't know what would be causing this, but adding nix.settings.allowed_users = [ "@users" ]; fixes the issue. The default "*" does not work for some reason.

[SuperSandro2000]

Are you on nixos-unstable? Do you have nix.settings.trusted-users or nix.settings.allowed-users set in your config? Could it be that you need to adapt your config because of https://redirect.github.com/NixOS/nixpkgs/pull/318635 ?

[Pleune]

I've realized this is a little more complicated. I have the exact same flake installed on two wsl systems, my work laptop and my desktop. My laptop is fine. But, dandomly I will need to rerun rebuild switch on my desktop wsl instance before my user will be able to connect to the daemon. I have confirmed my user id is always 1000, and I have allowed users and trusted users both set to [ "*" "@users" ]

I don't really have any idea what is going on, because I don't really know how the nix daemon auth works...

[polybluez]

I had the same issue once, but I think I restarted the nix-daemon service and it started working just fine.

[SuperSandro2000]

What is nix show-config saying about allowed-users?

[malik-n]

I am having the exact same issue but I am also no longer able to rebuild the system.

What is nix show-config saying about allowed-users?

it says allowed-users = *

When trying to rebuild I get the following

error:
       … while calling the 'seq' builtin

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:322:18:

          321|         options = checked options;
          322|         config = checked (removeAttrs config [ "_module" ]);
             |                  ^
          323|         _module = checked (config._module);

       … while evaluating a branch condition

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:9:

          260|       checkUnmatched =
          261|         if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
             |         ^
          262|           let

       … in the left operand of the AND (&&) operator

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:72:

          260|       checkUnmatched =
          261|         if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
             |                                                                        ^
          262|           let

       … in the left operand of the AND (&&) operator

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:33:

          260|       checkUnmatched =
          261|         if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
             |                                 ^
          262|           let

       … while evaluating a branch condition

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:254:12:

          253|
          254|         in if declaredConfig._module.freeformType == null then declaredConfig
             |            ^
          255|           # Because all definitions that had an associated option ended in

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:242:28:

          241|           # For definitions that have an associated option
          242|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                            ^
          243|

       … while calling 'mapAttrsRecursiveCond'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/attrsets.nix:1201:5:

         1200|     f:
         1201|     set:
             |     ^
         1202|     let

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:234:33:

          233|           ({ inherit lib options config specialArgs; } // specialArgs);
          234|         in mergeModules prefix (reverseList collected);
             |                                 ^
          235|

       … while calling 'reverseList'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/lists.nix:1116:17:

         1115|   */
         1116|   reverseList = xs:
             |                 ^
         1117|     let l = length xs; in genList (n: elemAt xs (l - n - 1)) l;

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:229:25:

          228|       merged =
          229|         let collected = collectModules
             |                         ^
          230|           class

       … while calling anonymous lambda

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:445:37:

          444|
          445|     in modulesPath: initialModules: args:
             |                                     ^
          446|       filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:446:7:

          445|     in modulesPath: initialModules: args:
          446|       filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);
             |       ^
          447|

       … while calling 'filterModules'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:413:36:

          412|       # modules recursively. It returns the final list of unique-by-key modules
          413|       filterModules = modulesPath: { disabled, modules }:
             |                                    ^
          414|         let

       … while calling anonymous lambda

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:439:31:

          438|           disabledKeys = concatMap ({ file, disabled }: map (moduleKey file) disabled) disabled;
          439|           keyFilter = filter (attrs: ! elem attrs.key disabledKeys);
             |                               ^
          440|         in map (attrs: attrs.module) (builtins.genericClosure {

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:400:22:

          399|           let
          400|             module = checkModule (loadModule args parentFile "${parentKey}:anon-${toString n}" x);
             |                      ^
          401|             collectedImports = collectStructuredModules module._file module.key module.imports args;

       … while calling anonymous lambda

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:359:11:

          358|         then
          359|           m:
             |           ^
          360|             if m._class != null -> m._class == class

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:400:35:

          399|           let
          400|             module = checkModule (loadModule args parentFile "${parentKey}:anon-${toString n}" x);
             |                                   ^
          401|             collectedImports = collectStructuredModules module._file module.key module.imports args;

       … while calling 'loadModule'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:336:53:

          335|       # Like unifyModuleSyntax, but also imports paths and calls functions if necessary
          336|       loadModule = args: fallbackFile: fallbackKey: m:
             |                                                     ^
          337|         if isFunction m then

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:337:12:

          336|       loadModule = args: fallbackFile: fallbackKey: m:
          337|         if isFunction m then
             |            ^
          338|           unifyModuleSyntax fallbackFile fallbackKey (applyModuleArgs fallbackKey m args)

       … while calling 'isFunction'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/trivial.nix:929:16:

          928|   */
          929|   isFunction = f: builtins.isFunction f ||
             |                ^
          930|     (f ? __functor && isFunction (f.__functor f));

       … while calling anonymous lambda

         at «string»:25:25:

           24|           inputs = builtins.mapAttrs
           25|             (inputName: inputSpec: allNodes.${resolveInput inputSpec})
             |                         ^
           26|             (node.inputs or {});

       … while calling anonymous lambda

         at «string»:10:13:

            9|     builtins.mapAttrs
           10|       (key: node:
             |             ^
           11|         let

       … from call site

         at «string»:47:21:

           46|
           47|           outputs = flake.outputs (inputs // { self = result; });
             |                     ^
           48|

       … while calling 'outputs'

         at /nix/store/5hp07s3qjv9153dvz5wxfzap5y5j94n6-source/flake.nix:45:5:

           44|   outputs =
           45|     inputs:
             |     ^
           46|     inputs.flake-parts.lib.mkFlake { inherit inputs; } {

       … while calling anonymous lambda

         at «string»:25:25:

           24|           inputs = builtins.mapAttrs
           25|             (inputName: inputSpec: allNodes.${resolveInput inputSpec})
             |                         ^
           26|             (node.inputs or {});

       … while calling anonymous lambda

         at «string»:10:13:

            9|     builtins.mapAttrs
           10|       (key: node:
             |             ^
           11|         let

       error: getting status of '/nix/store/8ql43f4sxqh1dbpqy2q5jz11zdwf9832-source': No such file or directory

[Pleune]

This just happened again. The config shown while broken attached: wsl_config_10.10.24.txt

systemctl restart nix-daemon.service did fix the problem. I cant see any differences in file permissions on the socket. The log before restarting looked normal too. I don't really know what else to check for any difference.

[malik-n]

After reboot the nix-shell command as normal user does no longer give the response error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused but still behaves odd.
For example the command to create a python venv in the current directory nix-shell -p python3 --command "python -m venv .venv --copies" fails since today with the error build input /nix/store/x5pfxw8jkaifsbqqhf4lahjxlkm5mfqf-update-autotools-gnu-config-scripts-hook does not exist

Same response with nix-shell -p neofetch --command "neofetch"

[polybluez]

After reboot the nix-shell command as normal user does no longer give the response error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused but still behaves odd. For example the command to create a python venv in the current directory nix-shell -p python3 --command "python -m venv .venv --copies" fails since today with the error build input /nix/store/x5pfxw8jkaifsbqqhf4lahjxlkm5mfqf-update-autotools-gnu-config-scripts-hook does not exist

Same response with nix-shell -p neofetch --command "neofetch"

You can try these commands:

wsl --shutdown
wsl -d NixOS --system --user root -- /mnt/wslg/distro/bin/nixos-wsl-recovery 
$ su -- nixos
wsl -d NixOS --user nixos -- fish

Change the username and shell according to your configuration. I didn't have your issue per se, but these commands help solve a lot of other issues I had with NixOS-WSL. You have to run them each time you want to start NixOS in WSL though

[malik-n]

wsl -d NixOS --system --user root -- /mnt/wslg/distro/bin/nixos-wsl-recovery

Thanks, but it did not solve my issue.

The configuration also stoped beeing able to be build inside my forgejo actions ci/cd pipeline, where the build abruptly fails with:

building '/nix/store/1shscmvvmcar3lrhw6cc02lv8mq5s1a2-unit-audit.service.drv'...
building '/nix/store/jpi3skppiiznv7c9zngww3fc6cvyixv4-home-manager-path.drv'...
building '/nix/store/w66wbz5zjlm9062zxgc090khw58hkpr4-home-manager-files.drv'...
copying path '/nix/store/wv8qrls5a9bb4kb997avkwidbxmaiysx-rustc-wrapper-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/yn5i6m0gf3c4p9pr59dk00lp3bx1g0z1-rustfmt-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/xjf02cizjpsvla2kaqhb9waij85r71b7-cargo-1.77.2' from 'https://cache.nixos.org'...
building '/nix/store/bk8a0ilwgw084macwngd9dl7wqb9rw9r-unit-container-.service.drv'...
building '/nix/store/r6sc86hl93072qzb5ssaz38qhkkbsdwd-unit-container-getty-.service.drv'...
building '/nix/store/wf932p6npqy7as0v7556p2zgwwkjyw4d-unit-generate-shutdown-ramfs.service.drv'...
building '/nix/store/xwa2r90zzcyrp4s164666250j7mw6zsa-neovim-0.9.5.drv'...
building '/nix/store/g2zika2vzn3ga97kgjpw05y78qa6ag34-unit-getty-.service.drv'...
building '/nix/store/k49ryxgyx602vijpv28vgmmcdmlkjk3h-activation-script.drv'...
building '/nix/store/m69d8q7aq2bc1jyrqp294kwhl5qisckr-unit-kmod-static-nodes.service.drv'...
building '/nix/store/2n38phgrkvf5pij136q5y7m047iwdnpv-home-manager-generation.drv'...
building '/nix/store/jz4xr87x3k3hj8bgxkqnmlc43aahrfag-unit-logrotate-checkconf.service.drv'...
copying path '/nix/store/7yyjp09578244pvmslp17gcwpjv6czy9-auditable-cargo-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/yy5446w88qxhwisk26qicvrmfcjlyghh-cargo-check-hook.sh' from 'https://cache.nixos.org'...
copying path '/nix/store/baimybqv63556b2x2f1c5i72kql2w7m9-cargo-build-hook.sh' from 'https://cache.nixos.org'...
building '/nix/store/cbiw1h8gpca6r6p1380pwyfvhys070pa-nixos-wsl-utils-1.0.0.drv'...
error (ignored): error: cannot unlink '/tmp/nix-build-nerdfonts-3.2.1.drv-0': Directory not empty
error: home directory '/homeless-shelter' exists; please remove it to assure purity of builds without sandboxing

[nzbr]

I've also needed to restart the nix daemon to be able to connect to it a few times in the last few weeks and I'm on stable (24.05) so there's a good chance this happens because microsoft changed something. Haven't touched allowed/trusted users at all

[Pleune]

This problem is very random, but since disabling cgroupsv1 for wsl for other reasons I have not experienced this again. I will edit here if the problem comes back even with forced cgroupsv2.

microsoft/WSL#10050 (comment)