nix-docker
nix-docker copied to clipboard
zefhemel
Impurities in systemd.services.*.preStart scripts: missing pkgs.coreutils
Symptom
cat >example.nix <<EOF
{ config, pkgs, ... }:
{
config = {
docker.ports = [ 22 ];
services.openssh.enable = true;
};
}
EOF
nix-docker ./example.nix
sudo ./result/sbin/docker-run
results in a docker container in which sshd is never successfully started.
Investigation
Adding supervisord.tailLogs = true; to the config attribute above causes supervisord to report that
...
==> /var/log/supervisord/sshd.log <==
/nix/store/6i064z14nwmqqwfi70hkyr3frp0x2ih9-sshd-run: line 2: mkdir: not found
...
Workaround
Applying this patch:
diff --git a/nix-docker/modules/servers/openssh.nix b/nix-docker/modules/servers/openssh.nix
index a661915..876e870 100644
--- a/nix-docker/modules/servers/openssh.nix
+++ b/nix-docker/modules/servers/openssh.nix
@@ -255,7 +255,7 @@ in
stopIfChanged = false;
- path = [ pkgs.openssh pkgs.gawk ];
+ path = [ pkgs.openssh pkgs.gawk pkgs.coreutils ];
environment.LD_LIBRARY_PATH = "";
environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
works around the proximate problem but doesn't address the underlying issue that the scripts in systemd.services.*.preStart often call mkdir without adding pkgs.coreutils to the corresponding systemd.services.*.path list.
Thoughts
- Is the use of
mkdirin systemd prestart scripts an impurity? If so, do we need to update a bunch of upstream nixpkgs + NixOS documentation? - Should we change
nix-docker's documentation or examples in order to better explain how to write (or to adapt existing) NixOS modules to work withsupervisord/nix-docker? - Should
supervisord.tailLogsbetrueby default? (As a new user of nix-docker, this problem was much harder to debug than usual, simply because it wasn't at all clear how to get access to the logs from the processes that were failing to launch...) - ...?
Credits
This bug was discovered with nix-1.6.1 on Debian wheezy/sid with docker.io_0.7.6+dfsg1-1 and nix-docker 3f234958bc68b76c9bbf56f76ee6c1b29e553958.
Just hit this same thing. I don't know much about nix, but debugged like so, maybe this will help someone else troubleshoot in the future - I'm new to nix but have played a decent amount with docker, so my approach is different than above.
I used the example ssh-config.nix and it built fine. But SSH did not appear to be listening after I started the container. First it felt like a bug due to ipv6 that some people are hitting (open docker issue), but I decided to look further.
(this is on a VM run with the nix-docker Vagrantfile)
vagrant@raring64-vanilla:~$ docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d76e947b5d9f nixy:latest /bin/sh -c /nix/stor 4 seconds ago Up 3 seconds 0.0.0.0:8899->22/tcp sharp_bohr
vagrant@raring64-vanilla:~$ docker inspect d76e947b5d9f | grep -A4 Cmd
"Cmd": [
"/bin/sh",
"-c",
"/nix/store/rx71dqxkf4rksczwkcbq97q8k4nw6lbl-boot"
],
vagrant@raring64-vanilla:~$ docker run -i -t nixy bash
bash-4.2# /nix/store/rx71dqxkf4rksczwkcbq97q8k4nw6lbl-boot
2014-02-06 22:49:40,750 CRIT Supervisor running as root (no user in config file)
2014-02-06 22:49:40,763 INFO supervisord started with pid 13
2014-02-06 22:49:41,766 INFO spawned: 'sshd' with pid 16
2014-02-06 22:49:41,775 INFO exited: sshd (exit status 127; not expected)
2014-02-06 22:49:42,779 INFO spawned: 'sshd' with pid 17
2014-02-06 22:49:42,785 INFO exited: sshd (exit status 127; not expected)
^C2014-02-06 22:49:43,384 WARN received SIGINT indicating exit request
bash-4.2# cd /var/run/supervisord bash-4.2# ls sshd.log supervisord.log bash-4.2# cat sshd.log /nix/store/i068v58w5b2risgp4l3hicrmwcfgmigy-sshd-run: line 2: mkdir: not found /nix/store/i068v58w5b2risgp4l3hicrmwcfgmigy-sshd-run: line 2: mkdir: not found
But I am 100% at a loss as to the cause and solution, need to go read up on nix. It looks really great, though learning yet-another-functional-language is involved, sigh.
Last thought - not sure if this is pure or unpure to you nix guys, but directories can be easily created during build, rather than boot.
