Skip to content

fix(nix): make flake checks hermetic#1958

Closed
elezar wants to merge 18 commits into
NVIDIA:sscatton/nix-add-build-with-cranefrom
elezar:nix-flake-check-fixes/elezar
Closed

fix(nix): make flake checks hermetic#1958
elezar wants to merge 18 commits into
NVIDIA:sscatton/nix-add-build-with-cranefrom
elezar:nix-flake-check-fixes/elezar

Conversation

@elezar

@elezar elezar commented Jun 18, 2026

Copy link
Copy Markdown
Member

Summary

Make nix flake check pass on the Darwin builder by removing two host-environment assumptions exposed by hermetic Nix checks.

Related Issue

None.

Changes

  • Add lsof to openshell-core Nix check inputs because the port availability test asserts cross-family listener detection through lsof.
  • Move the VM gvproxy fallback socket directory from shared /tmp/osd-gv to per-user /tmp/openshell-<uid>/osd-gv when XDG_RUNTIME_DIR is absent, preserving ownership checks while avoiding cross-user temp-dir collisions.

Context

On this system, lsof existed on the host at /usr/sbin/lsof, but it was not present inside the Nix test derivation. The production port check treats missing lsof as no listener data, so the IPv6 wildcard listener test failed until pkgs.lsof was declared.

The VM driver also fell back to /tmp/osd-gv. In the Nix sandbox that directory already existed with uid 502, while the builder ran as uid 355. The existing ownership guard correctly rejected it. Using a uid-scoped fallback keeps the safety property and makes the path hermetic for multi-user and Nix builds.

Testing

  • nix build .#checks.aarch64-darwin.openshell-core-test --print-build-logs
  • nix build .#checks.aarch64-darwin.openshell-driver-vm-test --print-build-logs
  • nix build .#checks.aarch64-darwin.rustfmt --print-build-logs
  • nix build .#checks.aarch64-darwin.openshell-driver-vm-clippy --print-build-logs
  • nix flake check
  • mise run pre-commit passes: mise is unavailable in this shell (zsh: command not found: mise)
  • E2E tests added/updated: not applicable

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

SDAChess and others added 18 commits June 17, 2026 10:49
@SDAChess
build(nix): add per-crate crane workspace builds
47358f8 
Add crane-based package outputs for the main OpenShell crates and a default
symlinkJoin package. The new workspace helper derives each crate's transitive
workspace dependency closure, builds from minimal source trees, and declares the
assets each crate needs at compile time.

Build each crate in three layers:

1. crates.io dependencies with crane buildDepsOnly
2. first-party workspace dependency libraries
3. the final real crate

The workspace-libs layer builds the selected package with the same `-p <crate>`
selection as final so Cargo feature unification matches, but overlays a
crane-generated dummy source for the leaf crate. After that layer builds, remove
the dummy leaf artifacts with `cargo clean --release -p <crate>` so the final
layer cannot reuse or package stub outputs. This lets leaf edits reuse cached
first-party libs while still compiling and linking the real leaf crate.

Add explicit `[lib]` target names and `path = "src/lib.rs"` entries to
workspace crates. The Nix source minimizer keeps every member Cargo.toml but
omits source trees outside the selected crate closure; explicit target paths let
Cargo resolve those member manifests without relying on auto-discovery of files
that are intentionally absent. They also give crane's dummy source generation a
stable target shape.

Guard the openshell-core build script's `.git` rerun paths so Cargo does not
mark core dirty in Nix source trees where `.git` is absent. Without this, core
recompiled in the final layer and cascaded into its dependents.

Known limitation: the VM driver package is wired into the flake, but the Nix
build does not yet provide the compressed VM runtime artifacts that
openshell-driver-vm embeds. For now that crate builds via its stub-resource
fallback rather than producing a fully usable VM driver package.

Ignore Nix `result*` symlinks created by local builds.
@SDAChess
refactor(nix): centralize crate build specs
1c785fd
@SDAChess
fix(nix): provide protoc for builds
1c31a35
@SDAChess
refactor(nix): propagate workspace crate inputs
f77866c
@SDAChess
test(sandbox): make unit tests hermetic
28b3b82
@SDAChess
test(nix): add per-crate cargo test checks
848b98a
@SDAChess
ci: replace branch checks with nix workflow
c86b02b
@SDAChess
ci: add nix rustfmt lint check
19b1b67
@SDAChess
ci: add nix clippy lint checks
c03df86
@SDAChess
ci: upload nix outputs to cachix
a98c4d2
@SDAChess
ci: use cachix action for nix cache
543b4b0
@SDAChess
ci: deduplicate nix workflow setup
66cc377
@SDAChess
ci: factor nix build workflow action
86ae2f3
@SDAChess
ci: build nix container images
cc014b8
@SDAChess
ci: add nix SPDX header check
8971743 
Signed-off-by: Simon Scatton <sscatton@nvidia.com>
@SDAChess
ci: batch nix workflow targets
2fbf7e3
@elezar
fix(nix): repair supervisor crate source packaging (NVIDIA#1953)
adf92e7 
Signed-off-by: Evan Lezar <elezar@nvidia.com>
@elezar
fix(nix): make flake checks hermetic
0fffb47 
Signed-off-by: Evan Lezar <elezar@nvidia.com>
@elezar elezar added the gator:in-review Gator is reviewing or awaiting PR review feedback label Jun 23, 2026
@elezar

elezar commented Jun 23, 2026

Copy link
Copy Markdown
Member Author

gator-agent

PR Review Status

Validation: this maintainer-authored PR is project-valid because it is a concentrated Nix/check hermeticity and VM runtime socket-path fix.
Head SHA: 0fffb47a244cf3f79b3e7e77d2ea974193702f78

Review findings:

  • Blocking: crates/openshell-driver-vm/src/runtime.rs creates a predictable fallback parent under /tmp (/tmp/openshell-<uid>) but only validates the final osd-gv child. Another local user can pre-create the parent and retain control over rename/delete/replace races around the child socket directory. Please validate/create the fallback parent itself with the same owner, symlink, directory, and mode checks, and avoid create_dir_all() across unvalidated intermediate components. This is a CWE-377/CWE-367 class issue.
  • Warning: add focused coverage for fallback parent creation and secure directory mode/ownership where practical.

Docs: no Fern docs update is required; this is build hermeticity and internal runtime path hardening.

Next state: gator:in-review

@SDAChess SDAChess force-pushed the sscatton/nix-add-build-with-crane branch from adf92e7 to eab1d5e Compare June 24, 2026 09:24
@elezar elezar closed this Jun 24, 2026
@elezar elezar deleted the nix-flake-check-fixes/elezar branch June 24, 2026 14:31
@elezar

elezar commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

gator-agent

Monitoring Complete

Monitoring is complete because this PR has been closed without merge.

Final status: the PR closed with an active gator:in-review label still present.

I removed the active gator:* label because there is nothing left for gator to monitor on this PR.

@elezar elezar removed the gator:in-review Gator is reviewing or awaiting PR review feedback label Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner
@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner
@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elezar @SDAChess