Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nix daemon default allowed_users not working with wsl update #549

Open
Pleune opened this issue Sep 21, 2024 · 11 comments
Open

Nix daemon default allowed_users not working with wsl update #549

Pleune opened this issue Sep 21, 2024 · 11 comments
Labels
question Further information is requested

Comments

@Pleune
Copy link

Pleune commented Sep 21, 2024

I just updated a bunch of windows stuff, including to WSL 2.2.4.0:

WSL version: 2.2.4.0
Kernel version: 5.15.153.1-2
WSLg version: 1.0.61
MSRDC version: 1.2.5326
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26091.1-240325-1447.ge-release
Windows version: 10.0.22631.4037

And my previously working nix config, as well as updating to the current commit (WSL cc84991 and nixpkgs c04d5652) now no longer lets me run nix commands without sudo, with the error error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused

I don't know what would be causing this, but adding nix.settings.allowed_users = [ "@users" ]; fixes the issue. The default "*" does not work for some reason.

@Pleune Pleune added the bug Something isn't working label Sep 21, 2024
@Pleune Pleune changed the title Nix daemon default allowed users not working with wsl update Nix daemon default allowed_users not working with wsl update Sep 21, 2024
@SuperSandro2000 SuperSandro2000 added question Further information is requested and removed bug Something isn't working labels Sep 24, 2024
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Sep 24, 2024

Are you on nixos-unstable? Do you have nix.settings.trusted-users or nix.settings.allowed-users set in your config? Could it be that you need to adapt your config because of https://redirect.github.com/NixOS/nixpkgs/pull/318635 ?

@Pleune
Copy link
Author

Pleune commented Sep 26, 2024

I've realized this is a little more complicated. I have the exact same flake installed on two wsl systems, my work laptop and my desktop. My laptop is fine. But, dandomly I will need to rerun rebuild switch on my desktop wsl instance before my user will be able to connect to the daemon. I have confirmed my user id is always 1000, and I have allowed users and trusted users both set to [ "*" "@users" ]

I don't really have any idea what is going on, because I don't really know how the nix daemon auth works...

@polybluez
Copy link

I had the same issue once, but I think I restarted the nix-daemon service and it started working just fine.

@SuperSandro2000
Copy link
Member

What is nix show-config saying about allowed-users?

@malik-n
Copy link

malik-n commented Oct 10, 2024

I am having the exact same issue but I am also no longer able to rebuild the system.

What is nix show-config saying about allowed-users?

it says allowed-users = *

When trying to rebuild I get the following

error:
       … while calling the 'seq' builtin

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:322:18:

          321|         options = checked options;
          322|         config = checked (removeAttrs config [ "_module" ]);
             |                  ^
          323|         _module = checked (config._module);

       … while evaluating a branch condition

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:9:

          260|       checkUnmatched =
          261|         if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
             |         ^
          262|           let

       … in the left operand of the AND (&&) operator

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:72:

          260|       checkUnmatched =
          261|         if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
             |                                                                        ^
          262|           let

       … in the left operand of the AND (&&) operator

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:33:

          260|       checkUnmatched =
          261|         if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
             |                                 ^
          262|           let

       … while evaluating a branch condition

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:254:12:

          253|
          254|         in if declaredConfig._module.freeformType == null then declaredConfig
             |            ^
          255|           # Because all definitions that had an associated option ended in

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:242:28:

          241|           # For definitions that have an associated option
          242|           declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
             |                            ^
          243|

       … while calling 'mapAttrsRecursiveCond'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/attrsets.nix:1201:5:

         1200|     f:
         1201|     set:
             |     ^
         1202|     let

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:234:33:

          233|           ({ inherit lib options config specialArgs; } // specialArgs);
          234|         in mergeModules prefix (reverseList collected);
             |                                 ^
          235|

       … while calling 'reverseList'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/lists.nix:1116:17:

         1115|   */
         1116|   reverseList = xs:
             |                 ^
         1117|     let l = length xs; in genList (n: elemAt xs (l - n - 1)) l;

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:229:25:

          228|       merged =
          229|         let collected = collectModules
             |                         ^
          230|           class

       … while calling anonymous lambda

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:445:37:

          444|
          445|     in modulesPath: initialModules: args:
             |                                     ^
          446|       filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:446:7:

          445|     in modulesPath: initialModules: args:
          446|       filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);
             |       ^
          447|

       … while calling 'filterModules'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:413:36:

          412|       # modules recursively. It returns the final list of unique-by-key modules
          413|       filterModules = modulesPath: { disabled, modules }:
             |                                    ^
          414|         let

       … while calling anonymous lambda

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:439:31:

          438|           disabledKeys = concatMap ({ file, disabled }: map (moduleKey file) disabled) disabled;
          439|           keyFilter = filter (attrs: ! elem attrs.key disabledKeys);
             |                               ^
          440|         in map (attrs: attrs.module) (builtins.genericClosure {

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:400:22:

          399|           let
          400|             module = checkModule (loadModule args parentFile "${parentKey}:anon-${toString n}" x);
             |                      ^
          401|             collectedImports = collectStructuredModules module._file module.key module.imports args;

       … while calling anonymous lambda

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:359:11:

          358|         then
          359|           m:
             |           ^
          360|             if m._class != null -> m._class == class

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:400:35:

          399|           let
          400|             module = checkModule (loadModule args parentFile "${parentKey}:anon-${toString n}" x);
             |                                   ^
          401|             collectedImports = collectStructuredModules module._file module.key module.imports args;

       … while calling 'loadModule'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:336:53:

          335|       # Like unifyModuleSyntax, but also imports paths and calls functions if necessary
          336|       loadModule = args: fallbackFile: fallbackKey: m:
             |                                                     ^
          337|         if isFunction m then

       … from call site

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:337:12:

          336|       loadModule = args: fallbackFile: fallbackKey: m:
          337|         if isFunction m then
             |            ^
          338|           unifyModuleSyntax fallbackFile fallbackKey (applyModuleArgs fallbackKey m args)

       … while calling 'isFunction'

         at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/trivial.nix:929:16:

          928|   */
          929|   isFunction = f: builtins.isFunction f ||
             |                ^
          930|     (f ? __functor && isFunction (f.__functor f));

       … while calling anonymous lambda

         at «string»:25:25:

           24|           inputs = builtins.mapAttrs
           25|             (inputName: inputSpec: allNodes.${resolveInput inputSpec})
             |                         ^
           26|             (node.inputs or {});

       … while calling anonymous lambda

         at «string»:10:13:

            9|     builtins.mapAttrs
           10|       (key: node:
             |             ^
           11|         let

       … from call site

         at «string»:47:21:

           46|
           47|           outputs = flake.outputs (inputs // { self = result; });
             |                     ^
           48|

       … while calling 'outputs'

         at /nix/store/5hp07s3qjv9153dvz5wxfzap5y5j94n6-source/flake.nix:45:5:

           44|   outputs =
           45|     inputs:
             |     ^
           46|     inputs.flake-parts.lib.mkFlake { inherit inputs; } {

       … while calling anonymous lambda

         at «string»:25:25:

           24|           inputs = builtins.mapAttrs
           25|             (inputName: inputSpec: allNodes.${resolveInput inputSpec})
             |                         ^
           26|             (node.inputs or {});

       … while calling anonymous lambda

         at «string»:10:13:

            9|     builtins.mapAttrs
           10|       (key: node:
             |             ^
           11|         let

       error: getting status of '/nix/store/8ql43f4sxqh1dbpqy2q5jz11zdwf9832-source': No such file or directory

@Pleune
Copy link
Author

Pleune commented Oct 10, 2024

This just happened again. The config shown while broken attached: wsl_config_10.10.24.txt

systemctl restart nix-daemon.service did fix the problem. I cant see any differences in file permissions on the socket. The log before restarting looked normal too. I don't really know what else to check for any difference.

@malik-n
Copy link

malik-n commented Oct 10, 2024

After reboot the nix-shell command as normal user does no longer give the response error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused but still behaves odd.
For example the command to create a python venv in the current directory nix-shell -p python3 --command "python -m venv .venv --copies" fails since today with the error build input /nix/store/x5pfxw8jkaifsbqqhf4lahjxlkm5mfqf-update-autotools-gnu-config-scripts-hook does not exist

Same response with nix-shell -p neofetch --command "neofetch"

@polybluez
Copy link

polybluez commented Oct 10, 2024

After reboot the nix-shell command as normal user does no longer give the response error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused but still behaves odd. For example the command to create a python venv in the current directory nix-shell -p python3 --command "python -m venv .venv --copies" fails since today with the error build input /nix/store/x5pfxw8jkaifsbqqhf4lahjxlkm5mfqf-update-autotools-gnu-config-scripts-hook does not exist

Same response with nix-shell -p neofetch --command "neofetch"

You can try these commands:

wsl --shutdown
wsl -d NixOS --system --user root -- /mnt/wslg/distro/bin/nixos-wsl-recovery 
$ su -- nixos
wsl -d NixOS --user nixos -- fish

Change the username and shell according to your configuration. I didn't have your issue per se, but these commands help solve a lot of other issues I had with NixOS-WSL. You have to run them each time you want to start NixOS in WSL though

@malik-n
Copy link

malik-n commented Oct 11, 2024

wsl -d NixOS --system --user root -- /mnt/wslg/distro/bin/nixos-wsl-recovery

Thanks, but it did not solve my issue.

The configuration also stoped beeing able to be build inside my forgejo actions ci/cd pipeline, where the build abruptly fails with:

building '/nix/store/1shscmvvmcar3lrhw6cc02lv8mq5s1a2-unit-audit.service.drv'...
building '/nix/store/jpi3skppiiznv7c9zngww3fc6cvyixv4-home-manager-path.drv'...
building '/nix/store/w66wbz5zjlm9062zxgc090khw58hkpr4-home-manager-files.drv'...
copying path '/nix/store/wv8qrls5a9bb4kb997avkwidbxmaiysx-rustc-wrapper-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/yn5i6m0gf3c4p9pr59dk00lp3bx1g0z1-rustfmt-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/xjf02cizjpsvla2kaqhb9waij85r71b7-cargo-1.77.2' from 'https://cache.nixos.org'...
building '/nix/store/bk8a0ilwgw084macwngd9dl7wqb9rw9r-unit-container-.service.drv'...
building '/nix/store/r6sc86hl93072qzb5ssaz38qhkkbsdwd-unit-container-getty-.service.drv'...
building '/nix/store/wf932p6npqy7as0v7556p2zgwwkjyw4d-unit-generate-shutdown-ramfs.service.drv'...
building '/nix/store/xwa2r90zzcyrp4s164666250j7mw6zsa-neovim-0.9.5.drv'...
building '/nix/store/g2zika2vzn3ga97kgjpw05y78qa6ag34-unit-getty-.service.drv'...
building '/nix/store/k49ryxgyx602vijpv28vgmmcdmlkjk3h-activation-script.drv'...
building '/nix/store/m69d8q7aq2bc1jyrqp294kwhl5qisckr-unit-kmod-static-nodes.service.drv'...
building '/nix/store/2n38phgrkvf5pij136q5y7m047iwdnpv-home-manager-generation.drv'...
building '/nix/store/jz4xr87x3k3hj8bgxkqnmlc43aahrfag-unit-logrotate-checkconf.service.drv'...
copying path '/nix/store/7yyjp09578244pvmslp17gcwpjv6czy9-auditable-cargo-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/yy5446w88qxhwisk26qicvrmfcjlyghh-cargo-check-hook.sh' from 'https://cache.nixos.org'...
copying path '/nix/store/baimybqv63556b2x2f1c5i72kql2w7m9-cargo-build-hook.sh' from 'https://cache.nixos.org'...
building '/nix/store/cbiw1h8gpca6r6p1380pwyfvhys070pa-nixos-wsl-utils-1.0.0.drv'...
error (ignored): error: cannot unlink '/tmp/nix-build-nerdfonts-3.2.1.drv-0': Directory not empty
error: home directory '/homeless-shelter' exists; please remove it to assure purity of builds without sandboxing

@nzbr
Copy link
Member

nzbr commented Oct 13, 2024

I've also needed to restart the nix daemon to be able to connect to it a few times in the last few weeks and I'm on stable (24.05) so there's a good chance this happens because microsoft changed something. Haven't touched allowed/trusted users at all

@Pleune
Copy link
Author

Pleune commented Oct 15, 2024

This problem is very random, but since disabling cgroupsv1 for wsl for other reasons I have not experienced this again. I will edit here if the problem comes back even with forced cgroupsv2.

microsoft/WSL#10050 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

5 participants