Local Nix cache is ignored because NAR info file lacks a signature

nixnixos

[partially solved here: https://plus.google.com/110416349762686874861/posts/PVGHL1Tpeb9; but not entirely]

I want to use one of my NixOS machines as a cache for the packages, to not pull everything from Hydra for each one on every upgrade. So I try to do this:
https://nixos.org/nix/manual/#sec-sharing-packages. But

When I try to use nix-serve -p <port>, nix-env --option extra-binary-caches http://<host>:<port>/ (even when run as root!) just ignores this cache, saying that "NAR info file" … "lacks a signature", and attempts to switch to cache.nixos.org. So nix-serve doesn't work as expected.
Does it mean that the documentation is not actual anymore, or that nix-serve is broken?
While nix-copy-closure --to <user>@<host> does work (if <user> is added as trusted user into nix.trustedUsers). But doing this on every upgrade would be very inconvenient. BTW. What also puzzles me here is how --from is supposed to be used?

I have general understanding of how cryptographic signatures work, and why they are used to sign packages (and repositories). But

In these circumstances I simply don't need it: the risk of a MITM is not something to worry about. I just want to copy few GiB's of binaries from one machine to another, regularly and effortlessly.
I could, of course, simply disable the verification completely via nix.requireSignedBinaryCaches = false, but isn't there a less radical way?
If, say, I invoke nix-env as root, or as a "trusted user" and have this "extra" binary cache registered as "trusted binary cache"; doesn't it imply that I know what I'm doing, and don't need the system nagging about missing signatures? (without the need for disabling the checking altogether)
I haven't found how to disable the verification only for a certain "trusted" source/user, and pretty much suspect it doesn't exist (i.e. bug).
I could probably also, to comply with this signing mechanism, try to set up a "full-fledged" binary cache, by making use of nix-store --generate-binary-cache-key, then nix-push --dest <somewhere> --key-file <secret-1> --none <cherrypicked-paths>, and registering the public key on the client(s). But it's quite not what I want: storing the archives on the "server" and setting the paths for nix-push explicitly. I just want that either nix-serve signed those shared packages before delivery, so that the receiving side would be happy, or nix-env to not complain about the lack of signing, if I'm absolutely sure that this particular source is trustworthy!

In conclusion: I'm pretty sure nix-serve or the signature checking mechanism (or both) are simply broken/unmaintained. So one can consider it all less as a question, more as a bug report candidate. But if I'm wrong — yet better.

Best Answer

Here is how you configure the server and client for using a signed binary cache served via the nix-serve command. This does not require using nix-push to generate the cache and you can serve your /nix/store directly using this method.

This is documented in the man-page for nix-push so if you want more details you can check that out, too

Server configuration

This example assumes that your server's hostname is cache.example.com.

First, you need to generate a signing-key pair using nix-store --generate-binary-cache-key, like this:

$ nix-store --generate-binary-cache-key cache.example.com-1 nix-serve.sec nix-serve.pub

... just replacing cache.example.com with any appropriate hostname for your server. It doesn't have to match the real host name, but it helps if they match so that you can easily distinguish which server a public key belongs to.

If your cache server is running NixOS then you can serve your cache by adding these two lines to your NixOS configuration file:

nix-serve = {
  enable = true;
  secretKeyFile = "/path/to/nix-serve.sec";
};

... and make sure that the nix-serve user has read-access to the nix-serve.sec key.

If you are not using NixOS and you want to serve your cache directly using the nix-serve executable, then you need to use the NIX_SECRET_KEY_FILE environment variable to specify the path to the secret key, like this:

NIX_SECRET_KEY_FILE=/path/to/nix-serve.sec nix-serve ...

Client configuration

If your client machine is a NixOS machine, then you can add these lines to your NixOS configuration file:

nix.binaryCaches = [
  "https://cache.nixos.org/"

  # This assumes that you use the default `nix-serve` port of 5000
  "http://cache.example.com:5000"
];

nix.binaryCachePublicKeys = [
  "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="

  # Replace the following string with the contents of the
  # `nix-serve.pub` file you generated in the "Server configuration"
  # section above
  "cache.example.com-1:...="
];

If you are not on a NixOS machine then you can manually edit your nix.conf file to have the following settings:

binary-caches = https://cache.nixos.org/ http://cache.example.com
binary-cache-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.example.com-1:...=

If you prefer to enable a binary cache for just one build you can instead pass these binary cache configuration flags directly to any Nix utility like nix-build or nixos-rebuild, like this:

nixos-rebuild build --option binary-caches "https://cache.nixos.org/ http://cache.example.com" --option binary-cache-public-keys "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.example.com-1:...="

TL;DR

The working solution is using patchelf (if you have to deal with non-matching glibc versions: in the host system and the one nix libs have been linked with), see the second half of my story.

Trying the usual approach

Trying to use LD_LIBRARY_PATH

Well, I have set up an environment variable for this in ~/.bash_profile:

NIX_LINK=/home/ivan/.nix-profile
export LD_LIBRARY_PATH="$NIX_LINK"/lib

but that's not all!

Now there are problems with linking with different versions of libc:

$ ldd -r ../valencies 
../valencies: /lib64/libc.so.6: version `GLIBC_2.15' not found (required by ../valencies)
../valencies: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ../valencies)
../valencies: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /home/ivan/.nix-profile/lib/libgmp.so.10)
    linux-vdso.so.1 =>  (0x00007fff365ff000)
    /usr/local/lib/libsnoopy.so (0x00007f56c72e6000)
    libgmp.so.10 => /home/ivan/.nix-profile/lib/libgmp.so.10 (0x00007f56c7063000)
    libffi.so.5 => /usr/lib64/libffi.so.5 (0x00007f56c6e54000)
    libm.so.6 => /lib64/libm.so.6 (0x00007f56c6bd0000)
    librt.so.1 => /lib64/librt.so.1 (0x00007f56c69c7000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f56c67c3000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f56c65a6000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f56c6211000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f56c74f1000)
symbol memcpy, version GLIBC_2.14 not defined in file libc.so.6 with link time reference    (/home/ivan/.nix-profile/lib/libgmp.so.10)
symbol memcpy, version GLIBC_2.14 not defined in file libc.so.6 with link time reference    (../valencies)
symbol __fdelt_chk, version GLIBC_2.15 not defined in file libc.so.6 with link time reference   (../valencies)
$

Sorting out 2 versions of glibc

The most surprizing error here is:

symbol memcpy, version GLIBC_2.14 not defined in file libc.so.6 with link time reference    (/home/ivan/.nix-profile/lib/libgmp.so.10)

because nix must have installed the version of glibc which is used by its libgmp!

And indeed, the glibc from nix is there:

$ ldd -r /home/ivan/.nix-profile/lib/libgmp.so.10
    linux-vdso.so.1 =>  (0x00007fff0f1ff000)
    /usr/local/lib/libsnoopy.so (0x00007f06e9919000)
    libc.so.6 => /nix/store/93zfs0zzndi7pkjkjxawlafdj8m90kg5-glibc-2.20/lib/libc.so.6 (0x00007f06e957c000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f06e9371000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f06e9da7000)
symbol _dl_find_dso_for_object, version GLIBC_PRIVATE not defined in file ld-linux-x86-64.so.2 with link time reference (/nix/store/93zfs0zzndi7pkjkjxawlafdj8m90kg5-glibc-2.20/lib/libc.so.6)
/home/ivan/.nix-profile/lib/libgmp.so.10: error while loading shared libraries: __vdso_time: invalid mode for dlopen(): Invalid argument
$

Probably, glibc was not available to the user, so when I ran my binary, the system's glibc was loaded first. Proof:

$ ls ~/.nix-profile/lib/*libc*
ls: cannot access /home/ivan/.nix-profile/lib/*libc*: No such file or directory
$

Ok, we can try to make glibc visible to the user, too:

$ nix-env -i glibc

Then everything is bad:

$ ldd -r ../valencies 
/bin/bash: error while loading shared libraries: __vdso_time: invalid mode for dlopen(): Invalid argument
$ /bin/echo ok
/bin/echo: error while loading shared libraries: __vdso_time: invalid mode for dlopen(): Invalid argument
$

So, it seems to be not an easy job if you want to load libraries from nix when running your own binaries...

For now, I'm commenting out

export LD_LIBRARY_PATH="$NIX_LINK"/lib

and doing in the shell session:

$ unset LD_LIBRARY_PATH
$ export LD_LIBRARY_PATH

Need to think more. (Read about __vdso_time: invalid mode for dlopen(): having another glibc in LD_LIBRARY_PATH is expected to crash, because your ld-linux-x86-64.so.2 will not match your libc.so.6. Having multiple versions of glibc on a single system is possible, but slightly tricky, as explained in this answer.)

The needed solution: patchelf

So, the path to the dynamic linker is hard-coded in the binary. And the dynamic linker being used is from the system (from the host glibc), not from nix. And because the dynamic linker doesn't match the glibc which we want and need to use, it doesn't work.

A simple and working solution is patchelf.

patchelf --set-interpreter /home/ivan/.nix-profile/lib/ld-linux-x86-64.so.2 ../valencies

After that, it works. You still need to fiddle with LD_LIBRARY_PATH though.

$ LD_LIBRARY_PATH=/home/ivan/.nix-profile/lib:/lib64/:/usr/lib64/ ../valencies

If--like in my imperfect case--some of the libraries are taken from nix, but some are taken from the host system (because I haven't installed them with nix-env -i), you have to specify both the path to the nix libs, and to your host system libs in LD_LIBRARY_PATH (it completely overrides the default search path).

additional step: patchelf for the library search path

(from the patchelf page)

Likewise, you can change the RPATH, the linker search path embedded into executables and dynamic libraries:

patchelf --set-rpath /opt/my-libs/lib:/foo/lib program

This causes the dynamic linker to search in /opt/my-libs/lib and /foo/lib for the shared libraries needed by program. Of course, you could also set the environment variable LD_LIBRARY_PATH, but that’s often inconvenient as it requires a wrapper script to set up the environment.

How to remove single package from cache/nix store

nix-store --delete /path Note that the path might be alive and thus refused to be deleted without --ignore-liveness and root privileges.