nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

TCP support in the Nix daemon

Open edolstra opened this issue 4 years ago • 11 comments

This PR makes it possible to connect to a remote Nix daemon via TCP, and for the Nix daemon to listen on multiple sockets (including TCP) via systemd.

Lacking encryption/authentication, this is primarily useful to testing, e.g. when locally simulating high-latency SSH store connections via qdisc/netem.

Example usage:

# nix path-info --store tcp://example.org:1234 ...

edolstra avatar Sep 17 '21 08:09 edolstra

Great!! I was hoping we'd do these things.

Ericson2314 avatar Sep 20 '21 17:09 Ericson2314

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-18/15300/1

nixos-discourse avatar Oct 01 '21 09:10 nixos-discourse

I wonder if we really need that in Nix itself. if it is purely about testing locally wouldn't socat on the current unix socket work just fine?

andir avatar Oct 08 '21 01:10 andir

But for building something like nixbuild.net, this can be extremely helpful.

NickCao avatar Oct 08 '21 02:10 NickCao

To me this is good enough to merge I don't care about the daemon being able to open sockets of any sort because I basically believe one should always use socket activation.

I assume @edolstra is mainly waiting to get 2.4 our before returning to new features. That is also fine with me.

Ericson2314 avatar Oct 08 '21 19:10 Ericson2314

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/distributing-the-nix-store-with-cvmfs-nix/15706/2

nixos-discourse avatar Oct 27 '21 16:10 nixos-discourse

Lacking encryption/authentication, this is primarily useful to testing

Can you elaborate on this? What could an adversary with access to the TCP socket do, except for DoS (by consuming compute resources, bandwidth and disk space)? Is there a way for an adversary to compromise other users that use the same Nix daemon over TCP?

My potential use case: Sharing a long-living Nix daemon across short-living (and mutually distrusting) CI jobs.

haslersn avatar Dec 25 '21 00:12 haslersn

I marked this as stale due to inactivity. → More info

stale[bot] avatar Jul 10 '22 06:07 stale[bot]

I have fixed the comments in this, but before I go too far proposing it I figured it would be good to start with something like https://github.com/NixOS/nix/pull/7739

Ericson2314 avatar Feb 02 '23 19:02 Ericson2314

https://github.com/NixOS/nix/pull/6312 merges master into this.

Ericson2314 avatar Feb 03 '23 14:02 Ericson2314

(This can be rebased once https://github.com/NixOS/nix/pull/14723 is merged)

Ericson2314 avatar Dec 08 '25 17:12 Ericson2314