trivial-builders: init addTmateBreakpoint

[MatthewCroughan]

Description of changes

Testable with nix-build -A tests.trivial-builders.manualTesting.addTmateBreakpoint

This adds a function to Nixpkgs that allows you to wrap a derivation and insert a hook that creates an ssh session with tmate, allowing you to enter the derivation at the exact point it went wrong, regardless of whether the derivation is being built on a remote-builder.

{ addTmateBreakpoint, hello }:
(addTmateBreakpoint hello).overrideAttrs { postPatch = "exit 1"; }

Will result in the following

❯ nix-build -A tests.trivial-builders.addTmateBreakpoint
evaluation warning: addTmateBreakpoint in use, ignore the sha256 warning and do not leak these build logs, otherwise unauthorized ssh access to the build sandbox may occur
evaluation warning: calling makeSetupHook without passing a name is deprecated.
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
  /nix/store/ryf52zzfkk1h7m9w5w1r8m2s7gb45vlw-hello-2.12.1.drv
resolved derivation: '/nix/store/ryf52zzfkk1h7m9w5w1r8m2s7gb45vlw-hello-2.12.1.drv' -> '/nix/store/lbx9yvrzmkjn8s892lc6hgr74d2sia7x-hello-2.12.1.drv'...
building '/nix/store/lbx9yvrzmkjn8s892lc6hgr74d2sia7x-hello-2.12.1.drv'...
Using versionCheckHook
Running phase: unpackPhase
unpacking source archive /nix/store/pa10z4ngm0g83kx9mssrqzz30s84vq7k-hello-2.12.1.tar.gz
source root is hello-2.12.1
setting SOURCE_DATE_EPOCH to timestamp 1653865426 of file hello-2.12.1/ChangeLog
Running phase: patchPhase
build failed in patchPhase with exit code 1
### WARNING ###
addTmateBreakpoint in use, ignore the sha256 warning and do not leak these build logs, otherwise unauthorized ssh access to the build sandbox may occur
To attach using tmate:

To connect to the session locally, run: tmate -S /tmp/tmate-1000/Q1zzAv attach
Connecting to ssh.tmate.io...
web session read only: https://tmate.io/t/ro-VvJLT6c7tz5k9gD9gbjrDgScx
ssh session read only: ssh [email protected]
web session: https://tmate.io/t/uxxQTYbdBQ47ECELbM4BNAgQN
ssh session: ssh [email protected]

There's is a potential issue issue that this hook can introduce new and unexpected build failure, just by the fact that it provides internet access to a build that previously didn't have it, which can limit its usefulness in certain contexts. But nonetheless, I've found it very useful in practice

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[philiptaron]

I'm scared of running this test on Hydra / ofBorg / nix.ci / my own machine. Is there a way to prove that this is working that doesn't mean there could be an open connection out?

[MatthewCroughan]

We could re-override the attrs to make it no longer a FOD, and maybe look for some log lines, and grep them to ensure that tmate was spawned. I'm not sure how to do this with the trivial-builders testing infrastructure though, as I don't think there's a way of doing "golden testing", i.e checking output matches an expected string. I'm not sure how to best implement this, suggestions definitely welcome.

[philiptaron]

I wonder if you could use the nixosTests infrastructure instead, and do the Nix build on a VM which was guaranteed not to have network connectivity out... then scrape the build output for the whole nixosTest derivation using something like testBuildFailure to see the appropriate incantations are added.

Even better would look like a second VM which connected to the first through the SSH connection to prove the end-to-end workflow was successful. We have a couple of those in the nixosTest world, especially in the networking tests.

[MatthewCroughan]

I'm not sure I have the kind of time needed to implement that kind of test, and the value is unknown since tmate is not self-hosted anyway. A self-hosted tmate would be possible with the test you suggested which would be end-to-end. But yeah, I don't have the time to implement that.

[philiptaron]

Yeah, that's super fair. I don't think I'm comfortable with having this specific test in CI (as I currently understand it) so this might need to go into the "documented but not tested" bucket.

I'm also open to learning about CI and why this is safe.

[philiptaron]

This is really cool.

[roberth]

Nice!
This will be particularly helpful with remote builders, where you'd otherwise need both ssh and nsenter.

[roberth]

Maybe factor these two lines out so you can put an explicit breakpoint call anywhere in the derivation build script?

[MatthewCroughan]

Currently, to call the hook explicitly, you just have to place an exit 1; anywhere. For me, the point of the hook is to drop you in where a derivation fails. Are you proposing not doing that and instead making it a function you call from in the drv phase, rather than exit 1 to call the hook? Not sure what is meant by "factor these two lines out" otherwise, can you explain more?

[roberth]

Could you move this into the manual?
See e.g. https://nixos.org/manual/nixpkgs/stable/index.html#breakpointhook, which would be good to link back and forth.

[MatthewCroughan]

@roberth

where you'd otherwise need both ssh and nsenter.

This should also work fine on Darwin and BSDs whereas nsentr/cntr wouldn't.

[tomberek]

Thanks for adding this. It is a potential footgun, but often helpful. One way to mitigate the security issue is to leverage tmate's cli a bit more:

tmate -a ~/.ssh/authorized_keys

So people can add the hook, but also place their public keys into an envvar or file and the hook uses it.

[philiptaron]

@MatthewCroughan: what about adding this as passthru.breakpointHook on the tmate derivation, so that it's not in the stdenv and is more easily discoverable for those that use tmate?

[philiptaron]

https://gist.github.com/GrahamcOfBorg/68f9912aea02d01bff0a81ae3881f138

ofBorg isn't happy with the test, and I think I'd rather have this code in nixpkgs sans test than have a test which uses it.

[roberth]

This doesn't actually seem like a trivial builder to me.
I'd think it to be fine if this were in its own file in pkgs/build-support, referenced from all-packages.nix (which contains more than just packages anyway).

Maybe there's a better option I'm not thinking of. Might @infinisil have a suggestion?

[philiptaron]

Agree with Robert that this isn't a trivial builder.

I prefer hanging this off of the tmate derivation as a passthru tmate.breakpointHook, following the existing breakpointHook that uses cntr.

[philiptaron]

Requesting changes to move this out of trivial-builders; I've made a suggestion of tmate.breakpointHook but there are many other reasonable choices.

[philiptaron]

Why was this change needed?

[MatthewCroughan]

Because in order to provide unixtools and tmate to trivial-builders.nix so that we can put the addTmateBreakpoint function in there. Though as @roberth says, trivial-builders.nix may not be the correct location for this to reside.

[philiptaron]

Agree with Robert that this isn't a trivial builder.

I prefer hanging this off of the tmate derivation as a passthru tmate.breakpointHook, following the existing breakpointHook that uses cntr.