Use cachix-action on a NixOS host

Question

Use cachix-action on a NixOS host

peperunas opened this issue 3 years ago · 22 comments

What is the best way to set-up cachix on a NixOS host running with a services.github-runner?

As per the issue raised on the NixOS matrix channel, this is a log I got from my attempt.

 /nix/store/l0wlqpbsvh1pgvhcdhw7qkka3d31si7k-bash-5.1-p8/bin/bash -c nix-env --quiet -j8 -iA cachix -f https://cachix.org/api/v1/install
  error: opening lock file '/nix/var/nix/profiles/per-user/github-runner/profile.lock': Read-only file system
  Error: Action failed with error: Error: The process '/nix/store/l0wlqpbsvh1pgvhcdhw7qkka3d31si7k-bash-5.1-p8/bin/bash' failed with exit code 1

Answer 1 · 2021-12-09T11:45:15.000Z

How exactly are you running github runner?

Answer 2 · 2021-12-09T11:48:54.000Z

May I ask what do you mean with this?

This is the .yml file:

  build-release:
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v2
      - uses: cachix/cachix-action@v10
        with:
          name: mycache
          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
      - run: nix build -L

The runner is simply enabled in my configuration.nix, nothing fancy.

Answer 3 · 2021-12-09T11:53:24.000Z

Could you also paste configuration.nix snippet so I can reproduce?

Answer 4 · 2021-12-09T11:55:35.000Z

Sure!

Here it is:

{
  services.github-runner = {
    enable = true;
    url = "https://github.com/project";
    tokenFile = "/secrets/github-runner/token";
    replace = true;
  };

  nix.extraOptions = ''
    tarball-ttl = 0
    access-tokens = github.com=token
  '';
}

Answer 5 · 2021-12-09T11:57:35.000Z

It seems like the user doesn't have access to the profile, I can take a look at this next week.

Answer 6 · 2021-12-10T09:42:18.000Z

Is there anything I can do to help? I could try to give it a go as it may be a good learning opportunity for me :-)

Answer 7 · 2021-12-10T11:46:58.000Z

You can check who's the owner of /nix/var/nix/profiles/per-user/github-runner and under what user does the cachix-install commands run under

Answer 8 · 2021-12-13T16:38:33.000Z

So, I took a look a few days ago but then I got sidetracked. It seems that everything is owned by github-runner, I am not sure what's happening

Answer 9 · 2021-12-13T16:39:45.000Z

I'll take a look tomorrow!

Answer 10 · 2021-12-14T11:54:38.000Z

Sorry, actually the builds are running under nixbld and the profile is owned by github-runner, my bad, sorry Domen!

Answer 11 · 2022-02-20T20:12:22.000Z

I have same error, @peperunas please tell me how you fixed it?

Answer 12 · 2022-02-21T00:35:18.000Z

Unfortunately, I didn’t solve it.

…

On 20 Feb 2022, 20:12 +0000, Kirill Kuznetsov ***@***.***>, wrote: @peperunas please tell me how you fixed it? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 13 · 2022-02-21T21:30:28.000Z

I solved it with my cachix-action fork, and adding cachix to services.github-runner.extraPackages

@peperunas @domenkozar

Answer 14 · 2022-02-23T16:07:18.000Z

Happy to accept a PR to skip installation if cachix is already installed!

Answer 15 · 2022-02-23T17:52:38.000Z

Ok, done: #109

Answer 16 · 2022-10-06T19:07:49.000Z

i'm facing this as well and i'm noticing that even though cachix is in the github-runner's extraPackages, it doesn't show up in the PATH within cachix-action's scripts.

so the following still tries to install cachix (and fails to do so):

      - name: Setup cachix
        uses: cachix/cachix-action@v10
        with:
          (...)
          installCommand: |
            if ! type -f cachix; then
              nix-env -if https://github.com/cachix/cachix/tarball/master \
                --substituters 'https://cache.nixos.org https://cachix.cachix.org' \
                --trusted-public-keys 'cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY='
            fi

i would expect the above to work. that's because i verified in a separate step that cachix is indeed available:

      - name: Check if cachix is installed
        id: cachix_exists
        run: |
          cachix --version
        continue-on-error: false

here's some proof from a slightly modified version of the above where i modified the install script to rely on the external existence check:

Answer 17 · 2022-10-11T14:53:41.000Z

I'll try to get #109 merged to address this.

Answer 18 · 2022-10-11T15:17:09.000Z

@steveej could you try using #123 branch?

Answer 19 · 2022-10-12T09:07:25.000Z

Released v11 that addresses the issues here, please let me know if it works so we can close :)

Answer 20 · 2022-10-12T09:31:39.000Z

Released v11 that addresses the issues here, please let me know if it works so we can close :)

i just tried and the installation of cachix, or rather skipping thereof in my case, works!

my remaining issue is in getting the cachix settings to actually take effect. this is from an SSH session with the runner's context of this CI job instance:

[github-runner@nixos:~/holochain/holochain]$ cat /etc/nix/nix.conf
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix.  Do not edit it!
allowed-users = *
auto-optimise-store = false
builders =
cores = 0
experimental-features = nix-command flakes
extra-sandbox-paths =
max-jobs = auto
require-sigs = true
sandbox = true
sandbox-fallback = false
substituters = https://cache.nixos.org/
system-features = nixos-test benchmark big-parallel kvm
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
trusted-substituters =
trusted-users = root github-runner sshsession


[github-runner@nixos:~/holochain/holochain]$ cat ~/.config/nix/nix.conf
substituters = https://cache.nixos.org https://cache.nixos.org/ https://holochain-ci.cachix.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=

[github-runner@nixos:~/holochain/holochain]$ id
uid=61779(github-runner) gid=61779(github-runner) groups=61779(github-runner)

[github-runner@nixos:~/holochain/holochain]$ nix-shell https://holochain.love
warning: ignoring untrusted substituter 'https://holochain-ci.cachix.org'

i'm not sure where this global /etc/nix/nix.conf actually lives. the ones on the nixos host and the nixos-container instance that runs the github-runner.service looks different, and has only trusted-users = root set. this is probably the issue that renders the cachix settings ineffective in my case.

Answer 21 · 2022-10-13T19:38:49.000Z

i'm not sure where this global /etc/nix/nix.conf actually lives. the ones on the nixos host and the nixos-container instance that runs the github-runner.service looks different, and has only trusted-users = root set. this is probably the issue that renders the cachix settings ineffective in my case.

i found what i consider a workaround to the issue i've explained.

in my situation there's a nixos host that runs multiple nixos containers which in turn run github-runner. to get the "github-runner" user trusted to effectively get cachix-action to work from a workflow, i added this to the host's and the container's nixos config:

  nix.settings.trusted-users = [
    "root"
    "github-runner"
  ];
  users.users.github-runner = {
    uid = 1000;
    isSystemUser = true;
    createHome = false;
    group = "github-runner";
  };
  users.groups.github-runner = {};

only if i add this in both places is the host's nix-daemon happy with allowing the workflow to introduce ad-hoc extra-substituters

Answer 22 · 2022-10-13T20:51:03.000Z

Thanks! I'm closing this as it seems it's possible to use cachix-action on a NixOS host. Please reopen if any issues persist.