lix-project/lix
19
51
Fork 27
Code Issues 339 Code Review (Gerrit) Projects 1 Releases Wiki Activity

nix offline detection is applying to --refresh when that should be fatal, breaking system.autoUpgrade #286

New issue
Open
opened 2024-05-09 04:53:25 +00:00 by dcarosone · 1 comment
dcarosone commented 2024-05-09 04:53:25 +00:00
Member
Copy link

Describe the bug

autoUpgrade service doesn't fail when steps within the process have errors. nixos-rebuild seems to be swallowing them nix seems to not be exiting with an error visible to caller.

As well as simply not doing the intended job of upgrading, this can actually cause configuration to go backwards.

Steps To Reproduce

  1. enable the service on a laptop using wifi, with a persistent timer (the default)
  2. suspend the machine, and resume the following morning after the scheduled timer expires (04:40 default)
  3. the service can start immediately, before network connectivity is available. It has a dependency on network-online.target but this is not meaningful after a resume, unfortunately.
  4. the upgrade has no network, and so does not fetch channel updates or update the specified flake, but this doesn't generate an error that systemd sees.
  5. Even if the --refresh argument is given with a flake, it will use the previously-cached fetch from the last run, which should be considered stale and invalid. The build proceeds anyway.
  6. If the system had been manually updated (from a more recent checkout in /etc/nixos/flake.nix for example), the autoupgrade service will build and switch to the older revision, effectively rolling back unexpectedly.

Expected behavior

Issues and errors, such as lack of network connectivity for an upgrade, should be considered as errors for the rebuild, and cause the service to fail (so it can optionally then be configured to retry with a delay).

In particular, at step 5, the --refresh argument should consider cached copies of the flake source as invalid (as documented) and refuse to use them. The errors in the log, reported as "fatal", should therefore be fatal.

Screenshots

In the below log, wifi was disabled. The autoUpgrade service is configures with a git+ssh:// flake repo.

Without --refresh in the options list, the ssh errors don't appear, presumably because the 'network-dependent features' have been disabled. With --refresh they're tried anyway but the errors are ignored.

Dec 14 13:51:34 rocinante systemd[1]: Starting NixOS Upgrade...
Dec 14 13:51:34 rocinante nixos-upgrade-start[98047]: warning: you don't have Internet access; disabling some network-dependent features
Dec 14 13:51:34 rocinante nixos-upgrade-start[98047]: [4B blob data]
Dec 14 13:51:34 rocinante nixos-upgrade-start[98051]: ssh: connect to host soft-serve port 23231: Network is unreachable
Dec 14 13:51:34 rocinante nixos-upgrade-start[98050]: fatal: Could not read from remote repository.
Dec 14 13:51:34 rocinante nixos-upgrade-start[98050]: Please make sure you have the correct access rights
Dec 14 13:51:34 rocinante nixos-upgrade-start[98050]: and the repository exists.
Dec 14 13:51:34 rocinante nixos-upgrade-start[98047]: [148B blob data]
Dec 14 13:51:35 rocinante nixos-upgrade-start[98045]: building the system configuration...
Dec 14 13:51:35 rocinante nixos-upgrade-start[98058]: warning: you don't have Internet access; disabling some network-dependent features
Dec 14 13:51:35 rocinante nixos-upgrade-start[98058]: [4B blob data]
Dec 14 13:51:35 rocinante nixos-upgrade-start[98062]: ssh: connect to host soft-serve port 23231: Network is unreachable
Dec 14 13:51:35 rocinante nixos-upgrade-start[98061]: fatal: Could not read from remote repository.
Dec 14 13:51:35 rocinante nixos-upgrade-start[98061]: Please make sure you have the correct access rights
Dec 14 13:51:35 rocinante nixos-upgrade-start[98061]: and the repository exists.
Dec 14 13:51:35 rocinante nixos-upgrade-start[98058]: [148B blob data]
Dec 14 13:51:38 rocinante nixos-upgrade-start[98078]: updating GRUB 2 menu...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: NOT restarting the following changed units: nixos-upgrade.service
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: activating the configuration...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] creating new generation in /run/agenix.d/8
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] decrypting secrets...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: decrypting '/nix/store/hz41qqz5x88yk1jlwsj3shbqx74w904n-nm-geek-env.age' to '/run/agenix.d/8/nm-geek-env'...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] symlinking new secrets to /run/agenix (generation 8)...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] removing old secrets (generation 7)...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] chowning...
Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: setting up /etc...
Dec 14 13:51:40 rocinante nixos-upgrade-start[98078]: reloading user units for dan...
Dec 14 13:51:41 rocinante nixos-upgrade-start[98078]: setting up tmpfiles
Dec 14 13:51:42 rocinante systemd[1]: nixos-upgrade.service: Deactivated successfully.
Dec 14 13:51:42 rocinante systemd[1]: Finished NixOS Upgrade.
Dec 14 13:51:42 rocinante systemd[1]: nixos-upgrade.service: Consumed 2.772s CPU time, no IP traffic.

Speculation

After pondering on this for a while, I'm becoming more convinced that the issue is nix itself:

  • behaving as if --offline had been passed explicitly, based on some auto-detection of connectivity
  • having this take precedence over --refresh, that was passed explicitly
  • ignoring "fatal" errors in updates and proceeding anyway

Additional context

Full config, including workaround using a preStart job that will fail in a way systemd can see, and another to prevent rollback of 'dirty' changes when hacking:

{ inputs, ... }: {
  system.autoUpgrade = {
    enable = ((inputs.self.rev or "dirty") != "dirty");
    flake = "git+ssh://soft-serve:23231/geek/nixos?ref=flake";
    flags = [ "--refresh" ];
    randomizedDelaySec = "45m";
  };
  systemd.services.nixos-upgrade = {
    preStart = "ssh soft-serve -p 23231 info";
    startLimitIntervalSec = 120;
    startLimitBurst = 6;
    serviceConfig = {
      Restart = "on-failure";
      RestartSec = "20";
      CPUSchedulingPolicy = "idle";
      IOSchedulingClass = "idle";
    };
  };
}

It also seems to rebuild and switch when there's full network connectivity but no new revisions are fetched, regardless of whether this is because (without --refresh) the content is still within TTL, or simply no new revisions are found on the git repo. I don't think this is necessary.

It might be helpful to have an option that's the inverse of --offline that seems to be getting detected.. something like --require-online such that it can bail directly from this autodetection before even getting to the other steps. But it should still bail on those other errors, and the failure to update with --refresh, and it should very-definitely not roll back by building and switching to a stale revision.

originally at https://github.com/NixOS/nixpkgs/issues/274146

## Describe the bug autoUpgrade service doesn't fail when steps within the process have errors. ~~`nixos-rebuild` seems to be swallowing them~~ nix seems to not be exiting with an error visible to caller. As well as simply not doing the intended job of upgrading, this can actually cause configuration to go backwards. ## Steps To Reproduce 1. enable the service on a laptop using wifi, with a persistent timer (the default) 2. suspend the machine, and resume the following morning after the scheduled timer expires (04:40 default) 3. the service can start immediately, before network connectivity is available. It has a dependency on `network-online.target` but this is not meaningful after a resume, unfortunately. 4. the upgrade has no network, and so does not fetch channel updates or update the specified flake, but this doesn't generate an error that systemd sees. 5. Even if the `--refresh` argument is given with a flake, it will use the previously-cached fetch from the last run, which should be considered stale and invalid. The build proceeds anyway. 6. If the system had been manually updated (from a more recent checkout in `/etc/nixos/flake.nix` for example), the autoupgrade service will build and switch to the older revision, effectively rolling back unexpectedly. ## Expected behavior Issues and errors, such as lack of network connectivity for an upgrade, should be considered as errors for the rebuild, and cause the service to fail (so it can optionally then be configured to retry with a delay). In particular, at step 5, the `--refresh` argument should consider cached copies of the flake source as invalid (as documented) and refuse to use them. The errors in the log, reported as "fatal", should therefore be fatal. ## Screenshots In the below log, wifi was disabled. The autoUpgrade service is configures with a git+ssh:// flake repo. Without `--refresh` in the options list, the ssh errors don't appear, presumably because the 'network-dependent features' have been disabled. With `--refresh` they're tried anyway but the errors are ignored. ```console Dec 14 13:51:34 rocinante systemd[1]: Starting NixOS Upgrade... Dec 14 13:51:34 rocinante nixos-upgrade-start[98047]: warning: you don't have Internet access; disabling some network-dependent features Dec 14 13:51:34 rocinante nixos-upgrade-start[98047]: [4B blob data] Dec 14 13:51:34 rocinante nixos-upgrade-start[98051]: ssh: connect to host soft-serve port 23231: Network is unreachable Dec 14 13:51:34 rocinante nixos-upgrade-start[98050]: fatal: Could not read from remote repository. Dec 14 13:51:34 rocinante nixos-upgrade-start[98050]: Please make sure you have the correct access rights Dec 14 13:51:34 rocinante nixos-upgrade-start[98050]: and the repository exists. Dec 14 13:51:34 rocinante nixos-upgrade-start[98047]: [148B blob data] Dec 14 13:51:35 rocinante nixos-upgrade-start[98045]: building the system configuration... Dec 14 13:51:35 rocinante nixos-upgrade-start[98058]: warning: you don't have Internet access; disabling some network-dependent features Dec 14 13:51:35 rocinante nixos-upgrade-start[98058]: [4B blob data] Dec 14 13:51:35 rocinante nixos-upgrade-start[98062]: ssh: connect to host soft-serve port 23231: Network is unreachable Dec 14 13:51:35 rocinante nixos-upgrade-start[98061]: fatal: Could not read from remote repository. Dec 14 13:51:35 rocinante nixos-upgrade-start[98061]: Please make sure you have the correct access rights Dec 14 13:51:35 rocinante nixos-upgrade-start[98061]: and the repository exists. Dec 14 13:51:35 rocinante nixos-upgrade-start[98058]: [148B blob data] Dec 14 13:51:38 rocinante nixos-upgrade-start[98078]: updating GRUB 2 menu... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: NOT restarting the following changed units: nixos-upgrade.service Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: activating the configuration... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] creating new generation in /run/agenix.d/8 Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] decrypting secrets... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: decrypting '/nix/store/hz41qqz5x88yk1jlwsj3shbqx74w904n-nm-geek-env.age' to '/run/agenix.d/8/nm-geek-env'... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] symlinking new secrets to /run/agenix (generation 8)... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] removing old secrets (generation 7)... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: [agenix] chowning... Dec 14 13:51:39 rocinante nixos-upgrade-start[98078]: setting up /etc... Dec 14 13:51:40 rocinante nixos-upgrade-start[98078]: reloading user units for dan... Dec 14 13:51:41 rocinante nixos-upgrade-start[98078]: setting up tmpfiles Dec 14 13:51:42 rocinante systemd[1]: nixos-upgrade.service: Deactivated successfully. Dec 14 13:51:42 rocinante systemd[1]: Finished NixOS Upgrade. Dec 14 13:51:42 rocinante systemd[1]: nixos-upgrade.service: Consumed 2.772s CPU time, no IP traffic. ``` ## Speculation After pondering on this for a while, I'm becoming more convinced that the issue is nix itself: * behaving as if `--offline` had been passed explicitly, based on some auto-detection of connectivity * having this take precedence over `--refresh`, that *was* passed explicitly * ignoring "fatal" errors in updates and proceeding anyway ## Additional context Full config, including workaround using a preStart job that will fail in a way systemd can see, and another to prevent rollback of 'dirty' changes when hacking: ```nix { inputs, ... }: { system.autoUpgrade = { enable = ((inputs.self.rev or "dirty") != "dirty"); flake = "git+ssh://soft-serve:23231/geek/nixos?ref=flake"; flags = [ "--refresh" ]; randomizedDelaySec = "45m"; }; systemd.services.nixos-upgrade = { preStart = "ssh soft-serve -p 23231 info"; startLimitIntervalSec = 120; startLimitBurst = 6; serviceConfig = { Restart = "on-failure"; RestartSec = "20"; CPUSchedulingPolicy = "idle"; IOSchedulingClass = "idle"; }; }; } ``` It also seems to rebuild and switch when there's full network connectivity but no new revisions are fetched, regardless of whether this is because (without `--refresh`) the content is still within TTL, or simply no new revisions are found on the git repo. I don't think this is necessary. It might be helpful to have an option that's the inverse of `--offline` that seems to be getting detected.. something like `--require-online` such that it can bail directly from this autodetection before even getting to the other steps. But it should still bail on those other errors, and the failure to update with `--refresh`, and it should very-definitely not roll back by building and switching to a stale revision. originally at https://github.com/NixOS/nixpkgs/issues/274146
dcarosone added the
bug
 label 2024-05-09 04:53:25 +00:00
jade changed title from nix offline detection is masking errors, breaking system.autoUpgrade to nix offline detection is applying to `--refresh` when that should be fatal, breaking system.autoUpgrade 2024-05-09 05:00:42 +00:00
jade added the
Area/flakes
 label 2024-05-09 05:01:23 +00:00
dcarosone commented 2024-05-09 05:28:33 +00:00
Author
Member
Copy link

Smaller repro, invoking nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh 3 times:

  1. just to ensure everything is cached properly at the current revision
  2. to se that nothing happens once cached
  3. after taking the soft-serve repo offline; note that it continues despite the update failure and the use of --refresh

This also confirms the issue still persists in lix as of now.


❯ nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh
building the system configuration...
trace: warning: The option `services.xserver.displayManager.defaultSession' defined in `/nix/store/z6wv0a36lsxj6w3fg4cxh0f7xmv2ikfa-source/common/general-desktop.nix' has been renamed to `services.displayManager.defaultSession'.
trace: warning: `overrideScope'` (from `lib.makeScope`) has been renamed to `overrideScope`.

❯ nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh --verbose
$ cat /proc/sys/kernel/hostname
building the system configuration...
Building in flake mode.
$ nix --extra-experimental-features nix-command flakes build git+ssh://soft-serve:23231/geek/nixos?ref=flake#nixosConfigurations."oenone".config.system.build.toplevel --refresh --verbose

❯ nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh --verbose
$ cat /proc/sys/kernel/hostname
building the system configuration...
Building in flake mode.
$ nix --extra-experimental-features nix-command flakes build git+ssh://soft-serve:23231/geek/nixos?ref=flake#nixosConfigurations."oenone".config.system.build.toplevel --refresh --verbose
ssh: connect to host soft-serve port 23231: No route to host
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not update local clone of Git repository 'ssh://soft-serve:23231/geek/nixos'; continuing with the most recent version
Smaller repro, invoking `nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh` 3 times: 1. just to ensure everything is cached properly at the current revision 2. to se that nothing happens once cached 3. after taking the soft-serve repo offline; note that it continues despite the update failure and the use of `--refresh` This also confirms the issue still persists in lix as of now. ```console ❯ nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh building the system configuration... trace: warning: The option `services.xserver.displayManager.defaultSession' defined in `/nix/store/z6wv0a36lsxj6w3fg4cxh0f7xmv2ikfa-source/common/general-desktop.nix' has been renamed to `services.displayManager.defaultSession'. trace: warning: `overrideScope'` (from `lib.makeScope`) has been renamed to `overrideScope`. ❯ nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh --verbose $ cat /proc/sys/kernel/hostname building the system configuration... Building in flake mode. $ nix --extra-experimental-features nix-command flakes build git+ssh://soft-serve:23231/geek/nixos?ref=flake#nixosConfigurations."oenone".config.system.build.toplevel --refresh --verbose ❯ nixos-rebuild build --flake git+ssh://soft-serve:23231/geek/nixos?ref=flake --refresh --verbose $ cat /proc/sys/kernel/hostname building the system configuration... Building in flake mode. $ nix --extra-experimental-features nix-command flakes build git+ssh://soft-serve:23231/geek/nixos?ref=flake#nixosConfigurations."oenone".config.system.build.toplevel --refresh --verbose ssh: connect to host soft-serve port 23231: No route to host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. warning: could not update local clone of Git repository 'ssh://soft-serve:23231/geek/nixos'; continuing with the most recent version
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
build-remote-ipc
sb/raito/phantom-referrers-gc
repl-overlay-example
release-2.91
reuse-compliance
release-2.90
git-series/activity-cleanup
sb/tom-hubrecht/primops.cc-v2
sb/bacchanalia/cache-strlen%topic=substr-perf
sb/arcuru/commit-msg
sb/qyriad/beta-1
sb/qyriad/2.90-beta.0
rbt/pre-commit-update
sb/rbt/test-branch
sb/rbt/justfile
sb/rbt/repl-overlays
sb/fuck/what
sb/rbt/pre-commit
sb/rbt/makeflags
sb/pennae/io-rewrite
sb/qyriad/maint-meson
sb/qyriad/maint/meson
sb/puck/meson-c-api
sb/pennae/parser-rewrite
sb/jade/burn-it-all
dependabot/github_actions/zeebe-io/backport-action-2.4.1
dependabot/github_actions/cachix/install-nix-action-25
dependabot/github_actions/actions/labeler-5
dependabot/github_actions/cachix/cachix-action-14
2.91.0
2.90.0
2.90.0-rc1
2.90-beta.1
2.90-beta.0
Labels
Clear labels   
Area/build-packaging

regarding the building or packaging of Lix itself

  
Area/cli

The command line interface of Lix

  
Area/evaluator

libexpr and anything else related to the evaluation of Nix expressions

  
Area/flakes

   
Area/language

language design, features, extensions, etc

  
Area/profiles

profiles: nix-env, nix profile, and installer flavors all alike

  
Area/protocol

The protocol, used for communicating between the client and the daemon

  
Area/releng

Release engineering

  
Area/remote-builds

remote builds

  
Area/repl

nix repl

  
Area/store

libstore and anything else relating to the Nix store

  
bug

it's a bug

  
Cross Compilation

   
devx

development experience issues

  
docs

requires or is about documentation changes

  
Downstream Dependents

regarding an external tool's usage with Lix (e.g. nix-eval-jobs)

  
E/easy

bug is relatively simple and could simply be fixed with some minor effort

  
E/hard

this issue should probably be solved with close involvement of an expert

  
E/help wanted

maintainers may not get to this soon, but we want it fixed

  
E/reproducible

This bug is reproducible and obvious.

  
E/requires rearchitecture

this bug cannot be fixed properly without fixing a known architectural flaw

  
imported

Issue imported from upstream nix (please do not remove this label, it will cause dupes if import is rerun)

  
Needs Langver

We can't get to this until we implement language versioning

  
OS/Linux

Affects specifically Lix on Linux

  
OS/macOS

Affects specifically Lix on macOS

  
performance

make lix go faster

  
regression

This is a regression since some previous version of Lix

  
release-blocker

Blocks public release

  
RFD

Request for discussion

  
stability

Fixing this makes the software more stable

  
Status
blocked
Blocked on something

  
Status
invalid
not our bug, duplicate, similar

  
Status
postponed
closed but should maybe look at later (generally with S-wontfix)

  
Status
wontfix
We chose not to change this (see issue comments for more detail).

  
testing

Tests that should be added

  
testing/flakey

Tests that are unreliable/flakey (not to be confused with flakes that test)

  
ux

makes the user experience better :)

No labels
Area/build-packaging
Area/cli
Area/evaluator
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#286
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?