Need easy, guaranteed way to update Nix

[cstrahan]

The Nix package manager should have a command to update the current version of Nix; this would prevent the hoops that I'm currently jumping through:

1. Try to update an old machine with NixOS installed (from about 12 or 13 months ago), and watch it fail because the installed version of Nix is too old to evaluate the latest Nixpkgs.
2. Consult https://nixos.org/wiki/How_to_update_when_Nix_is_too_old_to_evaluate_Nixpkgs, which suggests: curl -L https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.nix.x86_64-linux/latest-finished/nix/pkg/nix-1.10-x86_64-linux.nixpkg | nix-install-package --non-interactive -
3. ... which fails because, as Hydra reports, "Path /nix/store/6nkzpsw9wq4gfn84c4d0shjs9hqyw9jy-nix-1.11.4-debug is no longer available."
4. Click through Hydra and try to find a recent evaluation, hoping that the store path hasn't disappeared.
5. Find the nixos:trunk-combined:nixpkgs.nix.x86_64-linux job, find the latest evaluation (evaluated on 2016-10-29 18:50:01), and then try to fetch the "One-Click Install" build product.
6. Get presented with a 404: "Path /nix/store/5q4rqc1fv1vi8z9g6ni0jlf7b802vm67-nix-1.11.4-debug is no longer available."
7. Realize that I could just nix-store --export $(nix-store -qR $(which nix-build)) > nix.closure from my up-to-date machine, copy that to a USB drive, and then nix-store --import nix.closure on the old machine.
8. That fails with: "error: imported archive of '/nix/store/....-glibc-2.24' lacks a signature" (despite having nix.requireSignedBinaryCaches = false; configured)
9. Have no idea what to do about the missing signature.

I still haven't figure out how I'm going to upgrade, but I figure the next step is going to be trying to install from source, and hope that any transitive dependencies don't get me stuck in some sort of catch 22 scenario.

In my case, I've been using Nix/NixOS for a while now and am thoroughly convinced of the benefits (even if things get pretty damned bumpy every now and then), so this isn't going to turn me off. For new users, though, this sort of scenario would very likely be the thing that makes them say "fuck it" and warn their friends.

What we really need is a single command that can get people unstuck in these scenarios.

[cstrahan]

Note that while nix-copy-closure has the --sign flag documented in the Nix manual, the same is not true for nix-store --export.

Also, while there used to be doc/signing.txt in the repo, it has since been removed, and there is no mention of how to generate /etc/nix/signing-key.{pub,sec} in the Nix manual.

[groxxda]

It's a known issue that the links on hydra are dead since the packages are uploaded to s3.
The workaround is to use nix-store --realise /nix/store/.... to download the wanted path.

That the wiki provides an outdated solution that does not work anymore is (at least) unfortunate. Since porting the wiki content is progressing so slow, we should really consider updating that single wiki page because people report this regularly....

[groxxda]

I think that signing keys can be generated with nix-store --generate-binary-cache-key <keyid> <secret-file-out> <signature-out>

[cstrahan]

@groxxda Is there a way that Hydra could provide links to S3, then? Or at least not pretend to have direct links (e.g. keep the list of build products, but remove the <a href="..."> bits)? As it stands, this is pretty confusing.

[cstrahan]

Oh, and thanks for the nix-store --realize tip; I'll give that a go.

[groxxda]

@cstrahan NixOS/hydra#321 is about the broken links on hydra.

[cstrahan]

Not having much luck with signing:

$ sudo nix-store --generate-binary-cache-key cstrahan-1 /etc/nix/signing-key.sec /etc/nix/signing-key.pub

$ sudo chmod 644 /etc/nix/signing-key.pub

$ sudo chmod 600 /etc/nix/signing-key.sec

$ sudo nix-store --export $(nix-store -qR /run/current-system/sw/bin/nix-build) --sign >! ~/nix.closure
unable to load Private Key
140159983984152:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
error: program ‘/nix/store/47ddkjfrphqp8zxd8cq9xa10l0xr8qkv-openssl-1.0.2i-bin/bin/openssl’ failed with exit code 1

Guess I'll go for the --realize approach.

[groxxda]

Okay sorry, my advice was incorrect.
But generating with openssl should work as described here: doc/signing.txt@1.11.4

[cstrahan]

I ended up isolating Firefox as being the only thing that wouldn't evaluate in my config (as it, or one of its dependencies, uses a sha512 somewhere). I just commented that out and I'm now updating.

Before that, I tried sudo nix-env -i /nix/store/75l105a6h71mliypp6madr9y1mvwp5nc-nix-1.11.4, but nixos-rebuild somehow kept using the old nix, rather than the new one from root's $PATH.

[groxxda]

I think you could have forced nixos-rebuild to use nix from path with _NIXOS_REBUILD_REEXEC=1 nixos-rebuild ...

[domenkozar]

Next Nix UI will have nix upgrade command.

[vcunat]

IIRC with sha512 there matters what version the nix daemon is running; I think nix will bypass the daemon if executing the command as root.

We recently discussed these on ML http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020891.html . A problem is that there probably isn't a catch-all way, as you might be using rpm/deb to install nix, for example.

[cleverca22]

one thing of note, you don't have to mess with export, copy-closure, or signing at all in 90% of cases

[clever@amd-nixos:~]$ nix-instantiate --eval -E 'with import <nixpkgs> { config = {}; }; "${nix.out}"'
"/nix/store/hyjvd8y5y016p08p1yj49hkb59q9kjp4-nix-1.11.4"

run this on any machine with the newer channel, and the correct arch, then do this on the older machine:

nix-store -r /nix/store/hyjvd8y5y016p08p1yj49hkb59q9kjp4-nix-1.11.4

and you now have the new nix, manually add it to $PATH and _NIXOS_REBUILD_REEXEC, or if its not nixos, just nix-env -i the above path