nix-community
Nix daemon default allowed_users not working with wsl update
I just updated a bunch of windows stuff, including to WSL 2.2.4.0:
WSL version: 2.2.4.0
Kernel version: 5.15.153.1-2
WSLg version: 1.0.61
MSRDC version: 1.2.5326
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26091.1-240325-1447.ge-release
Windows version: 10.0.22631.4037
And my previously working nix config, as well as updating to the current commit (WSL cc84991d and nixpkgs c04d5652) now no longer lets me run nix commands without sudo, with the error error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused
I don't know what would be causing this, but adding nix.settings.allowed_users = [ "@users" ]; fixes the issue. The default "*" does not work for some reason.
Are you on nixos-unstable? Do you have nix.settings.trusted-users or nix.settings.allowed-users set in your config? Could it be that you need to adapt your config because of https://redirect.github.com/NixOS/nixpkgs/pull/318635 ?
I've realized this is a little more complicated. I have the exact same flake installed on two wsl systems, my work laptop and my desktop. My laptop is fine. But, dandomly I will need to rerun rebuild switch on my desktop wsl instance before my user will be able to connect to the daemon. I have confirmed my user id is always 1000, and I have allowed users and trusted users both set to [ "*" "@users" ]
I don't really have any idea what is going on, because I don't really know how the nix daemon auth works...
I had the same issue once, but I think I restarted the nix-daemon service and it started working just fine.
I am having the exact same issue but I am also no longer able to rebuild the system.
What is
nix show-configsaying aboutallowed-users?
it says allowed-users = *
When trying to rebuild I get the following
error:
… while calling the 'seq' builtin
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:322:18:
321| options = checked options;
322| config = checked (removeAttrs config [ "_module" ]);
| ^
323| _module = checked (config._module);
… while evaluating a branch condition
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:9:
260| checkUnmatched =
261| if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
| ^
262| let
… in the left operand of the AND (&&) operator
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:72:
260| checkUnmatched =
261| if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
| ^
262| let
… in the left operand of the AND (&&) operator
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:261:33:
260| checkUnmatched =
261| if config._module.check && config._module.freeformType == null && merged.unmatchedDefns != [] then
| ^
262| let
… while evaluating a branch condition
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:254:12:
253|
254| in if declaredConfig._module.freeformType == null then declaredConfig
| ^
255| # Because all definitions that had an associated option ended in
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:242:28:
241| # For definitions that have an associated option
242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
| ^
243|
… while calling 'mapAttrsRecursiveCond'
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/attrsets.nix:1201:5:
1200| f:
1201| set:
| ^
1202| let
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:234:33:
233| ({ inherit lib options config specialArgs; } // specialArgs);
234| in mergeModules prefix (reverseList collected);
| ^
235|
… while calling 'reverseList'
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/lists.nix:1116:17:
1115| */
1116| reverseList = xs:
| ^
1117| let l = length xs; in genList (n: elemAt xs (l - n - 1)) l;
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:229:25:
228| merged =
229| let collected = collectModules
| ^
230| class
… while calling anonymous lambda
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:445:37:
444|
445| in modulesPath: initialModules: args:
| ^
446| filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:446:7:
445| in modulesPath: initialModules: args:
446| filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);
| ^
447|
… while calling 'filterModules'
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:413:36:
412| # modules recursively. It returns the final list of unique-by-key modules
413| filterModules = modulesPath: { disabled, modules }:
| ^
414| let
… while calling anonymous lambda
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:439:31:
438| disabledKeys = concatMap ({ file, disabled }: map (moduleKey file) disabled) disabled;
439| keyFilter = filter (attrs: ! elem attrs.key disabledKeys);
| ^
440| in map (attrs: attrs.module) (builtins.genericClosure {
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:400:22:
399| let
400| module = checkModule (loadModule args parentFile "${parentKey}:anon-${toString n}" x);
| ^
401| collectedImports = collectStructuredModules module._file module.key module.imports args;
… while calling anonymous lambda
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:359:11:
358| then
359| m:
| ^
360| if m._class != null -> m._class == class
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:400:35:
399| let
400| module = checkModule (loadModule args parentFile "${parentKey}:anon-${toString n}" x);
| ^
401| collectedImports = collectStructuredModules module._file module.key module.imports args;
… while calling 'loadModule'
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:336:53:
335| # Like unifyModuleSyntax, but also imports paths and calls functions if necessary
336| loadModule = args: fallbackFile: fallbackKey: m:
| ^
337| if isFunction m then
… from call site
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/modules.nix:337:12:
336| loadModule = args: fallbackFile: fallbackKey: m:
337| if isFunction m then
| ^
338| unifyModuleSyntax fallbackFile fallbackKey (applyModuleArgs fallbackKey m args)
… while calling 'isFunction'
at /nix/store/ykpdymr1nf9vw3xa49xwglbn768mhih9-source/lib/trivial.nix:929:16:
928| */
929| isFunction = f: builtins.isFunction f ||
| ^
930| (f ? __functor && isFunction (f.__functor f));
… while calling anonymous lambda
at «string»:25:25:
24| inputs = builtins.mapAttrs
25| (inputName: inputSpec: allNodes.${resolveInput inputSpec})
| ^
26| (node.inputs or {});
… while calling anonymous lambda
at «string»:10:13:
9| builtins.mapAttrs
10| (key: node:
| ^
11| let
… from call site
at «string»:47:21:
46|
47| outputs = flake.outputs (inputs // { self = result; });
| ^
48|
… while calling 'outputs'
at /nix/store/5hp07s3qjv9153dvz5wxfzap5y5j94n6-source/flake.nix:45:5:
44| outputs =
45| inputs:
| ^
46| inputs.flake-parts.lib.mkFlake { inherit inputs; } {
… while calling anonymous lambda
at «string»:25:25:
24| inputs = builtins.mapAttrs
25| (inputName: inputSpec: allNodes.${resolveInput inputSpec})
| ^
26| (node.inputs or {});
… while calling anonymous lambda
at «string»:10:13:
9| builtins.mapAttrs
10| (key: node:
| ^
11| let
error: getting status of '/nix/store/8ql43f4sxqh1dbpqy2q5jz11zdwf9832-source': No such file or directory
This just happened again. The config shown while broken attached: wsl_config_10.10.24.txt
systemctl restart nix-daemon.service did fix the problem. I cant see any differences in file permissions on the socket. The log before restarting looked normal too. I don't really know what else to check for any difference.
After reboot the nix-shell command as normal user does no longer give the response error: cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refused but still behaves odd.
For example the command to create a python venv in the current directory nix-shell -p python3 --command "python -m venv .venv --copies" fails since today with the error build input /nix/store/x5pfxw8jkaifsbqqhf4lahjxlkm5mfqf-update-autotools-gnu-config-scripts-hook does not exist
Same response with nix-shell -p neofetch --command "neofetch"
After reboot the nix-shell command as normal user does no longer give the response error:
cannot connect to socket at '/nix/var/nix/daemon-socket/socket': Connection refusedbut still behaves odd. For example the command to create a python venv in the current directorynix-shell -p python3 --command "python -m venv .venv --copies"fails since today with the errorbuild input /nix/store/x5pfxw8jkaifsbqqhf4lahjxlkm5mfqf-update-autotools-gnu-config-scripts-hook does not existSame response with
nix-shell -p neofetch --command "neofetch"
You can try these commands:
wsl --shutdown
wsl -d NixOS --system --user root -- /mnt/wslg/distro/bin/nixos-wsl-recovery
$ su -- nixos
wsl -d NixOS --user nixos -- fish
Change the username and shell according to your configuration. I didn't have your issue per se, but these commands help solve a lot of other issues I had with NixOS-WSL. You have to run them each time you want to start NixOS in WSL though
wsl -d NixOS --system --user root -- /mnt/wslg/distro/bin/nixos-wsl-recovery
Thanks, but it did not solve my issue.
The configuration also stoped beeing able to be build inside my forgejo actions ci/cd pipeline, where the build abruptly fails with:
building '/nix/store/1shscmvvmcar3lrhw6cc02lv8mq5s1a2-unit-audit.service.drv'...
building '/nix/store/jpi3skppiiznv7c9zngww3fc6cvyixv4-home-manager-path.drv'...
building '/nix/store/w66wbz5zjlm9062zxgc090khw58hkpr4-home-manager-files.drv'...
copying path '/nix/store/wv8qrls5a9bb4kb997avkwidbxmaiysx-rustc-wrapper-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/yn5i6m0gf3c4p9pr59dk00lp3bx1g0z1-rustfmt-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/xjf02cizjpsvla2kaqhb9waij85r71b7-cargo-1.77.2' from 'https://cache.nixos.org'...
building '/nix/store/bk8a0ilwgw084macwngd9dl7wqb9rw9r-unit-container-.service.drv'...
building '/nix/store/r6sc86hl93072qzb5ssaz38qhkkbsdwd-unit-container-getty-.service.drv'...
building '/nix/store/wf932p6npqy7as0v7556p2zgwwkjyw4d-unit-generate-shutdown-ramfs.service.drv'...
building '/nix/store/xwa2r90zzcyrp4s164666250j7mw6zsa-neovim-0.9.5.drv'...
building '/nix/store/g2zika2vzn3ga97kgjpw05y78qa6ag34-unit-getty-.service.drv'...
building '/nix/store/k49ryxgyx602vijpv28vgmmcdmlkjk3h-activation-script.drv'...
building '/nix/store/m69d8q7aq2bc1jyrqp294kwhl5qisckr-unit-kmod-static-nodes.service.drv'...
building '/nix/store/2n38phgrkvf5pij136q5y7m047iwdnpv-home-manager-generation.drv'...
building '/nix/store/jz4xr87x3k3hj8bgxkqnmlc43aahrfag-unit-logrotate-checkconf.service.drv'...
copying path '/nix/store/7yyjp09578244pvmslp17gcwpjv6czy9-auditable-cargo-1.77.2' from 'https://cache.nixos.org'...
copying path '/nix/store/yy5446w88qxhwisk26qicvrmfcjlyghh-cargo-check-hook.sh' from 'https://cache.nixos.org'...
copying path '/nix/store/baimybqv63556b2x2f1c5i72kql2w7m9-cargo-build-hook.sh' from 'https://cache.nixos.org'...
building '/nix/store/cbiw1h8gpca6r6p1380pwyfvhys070pa-nixos-wsl-utils-1.0.0.drv'...
error (ignored): error: cannot unlink '/tmp/nix-build-nerdfonts-3.2.1.drv-0': Directory not empty
error: home directory '/homeless-shelter' exists; please remove it to assure purity of builds without sandboxing
I've also needed to restart the nix daemon to be able to connect to it a few times in the last few weeks and I'm on stable (24.05) so there's a good chance this happens because microsoft changed something. Haven't touched allowed/trusted users at all
This problem is very random, but since disabling cgroupsv1 for wsl for other reasons I have not experienced this again. I will edit here if the problem comes back even with forced cgroupsv2.
https://github.com/microsoft/WSL/issues/10050#issuecomment-1552415151
Closing because I have not run into this issue recently. I never understood what was happening, but it appears to be fixed now.