Skip to content

disallowedRequisites: Show forbidden chain(s) to forbidden path#10877

Open
roberth wants to merge 1 commit intoNixOS:masterfrom
hercules-ci:report-forbidden-path-as-chain
Open

disallowedRequisites: Show forbidden chain(s) to forbidden path#10877
roberth wants to merge 1 commit intoNixOS:masterfrom
hercules-ci:report-forbidden-path-as-chain

Conversation

@roberth
Copy link
Copy Markdown
Member

@roberth roberth commented Jun 9, 2024
edited
Loading

Motivation

When a build fails because of disallowedRequisites, the error message now includes the chain of references that led to the failure. This makes it easier to see in which derivations the chain can be broken, to resolve the problem.

Example:

$ nix build --no-link /nix/store/1fsjsd98awcf3sgny9zfq4wa7i5dci4n-hercules-ci-agent-0.10.3.drv^out
error: output '/nix/store/xg01gga2qsi9v2qm45r2gqrkk46wvrkd-hercules-ci-agent-0.10.3' is not allowed to refer to the following paths.
       Shown below are chains that lead to the forbidden path(s). More may exist.
         { /nix/store/xg01gga2qsi9v2qm45r2gqrkk46wvrkd-hercules-ci-agent-0.10.3 -> /nix/store/mfzkjrwv8ckqqbsbj5yj24ri9dsgs30l-hercules-ci-cnix-expr-0.3.6.3 -> /nix/store/vxlw2igrncif77fh2qg1jg02bd455mbl-ghc-9.6.5 }

Context

Priorities and Process

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@github-actions github-actions bot added documentation with-tests Issues related to testing. PRs with tests have some priority labels Jun 9, 2024
@roberth roberth force-pushed the report-forbidden-path-as-chain branch from 3c6e18a to 131974a Compare June 9, 2024 22:29
cole-h
cole-h reviewed Jun 9, 2024
View reviewed changes
doc/manual/rl-next/report-forbidden-path-as-chain.md
$ nix build --no-link /nix/store/1fsjsd98awcf3sgny9zfq4wa7i5dci4n-hercules-ci-agent-0.10.3.drv^out
error: output '/nix/store/xg01gga2qsi9v2qm45r2gqrkk46wvrkd-hercules-ci-agent-0.10.3' is not allowed to refer to the following paths.
Shown below are chains that lead to the forbidden path(s). More may exist.
{ /nix/store/xg01gga2qsi9v2qm45r2gqrkk46wvrkd-hercules-ci-agent-0.10.3 -> /nix/store/mfzkjrwv8ckqqbsbj5yj24ri9dsgs30l-hercules-ci-cnix-expr-0.3.6.3 -> /nix/store/vxlw2igrncif77fh2qg1jg02bd455mbl-ghc-9.6.5 }
Copy link
Copy Markdown
Member

@cole-h cole-h Jun 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if a more readable output would be something similar to why-depends -- the tree-like output is a lot easier to read than a super-long chain of [store path] -> [store path] -> [store path] -> .....

Copy link
Copy Markdown
Member Author

@roberth roberth Jun 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the chain is short enough, it will look better, and I expect the chains to be short.

I did consider it, but was non-trivial to achieve, because that code can't simply be reused, and when we use the tree syntax, we also need a proper tree data model in order to render it properly. So it's:

  • gather all chains up into a tree
  • refactor the tree rendering code to take a more abstract tree
    • or maybe only factor out the very surface level rendering bits, insofar that makes sense
  • render it with that

I've already had to do a much deeper dive for this unplanned thing, which should have been quick. That's why I had already added the comment:

// Consider working with paths in a more stable order (https://github.com/NixOS/nix/issues/10875)
// and/or get all possible chains and present them in the `nix-store -q --tree` format.

I'd like to save that improvement for later and focus on more urgent things, but PRs are welcome.

Copy link
Copy Markdown
Member Author

@roberth roberth Jun 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or do something very ad hoc, and not bother deduplicating common paths so that it forms a tree, but it's worth noting that it also requires more test setup to check a multi-line output, fwiw.

@roberth roberth mentioned this pull request Jun 9, 2024
Open
12 tasks
@roberth roberth force-pushed the report-forbidden-path-as-chain branch from 131974a to d1911e1 Compare June 10, 2024 10:07
@roberth roberth added the error-messages Confusing messages and better diagnostics label Jun 11, 2024
@fricklerhandwerk fricklerhandwerk removed their request for review June 13, 2024 09:46
@edolstra edolstra requested review from Ericson2314 and removed request for Ericson2314 July 17, 2024 19:13
@nixos-discourse
Copy link
Copy Markdown

nixos-discourse commented Jul 18, 2024

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2024-07-17-nix-team-meeting-minutes-162/49255/1

@roberth roberth force-pushed the report-forbidden-path-as-chain branch from d1911e1 to 06fad10 Compare July 24, 2024 17:34
lf- pushed a commit to lix-project/lix that referenced this pull request Jul 7, 2025
@Ma27 @roberth
libstore: show forbidden chain(s) to forbidden path from disallowedRe…
325e7e1 
…quisites

Closes #334
Closes #626

This is loosely based on upstream PR#10877[1], but heavily changed to
use the graph logic from `nix why-depends`.

`precise` is `false` here since the out-path of the drv being built
isn't registered yet, so the path accessor cannot scan through files
yet.

Example output (from an openssh build with `pcsclite.lib` & `glibc` in
`disallowedRequisites`):

    error: output '/nix/store/hr8lmmjmd1jk6s3p5ymggyk4am7n2lmb-openssh-10.0p2' is not allowed to refer to the following paths:
           /nix/store/p6r5awz3ywrz66symnrn0xb85xzmcysf-pcsclite-2.3.0-lib
           /nix/store/q4wq65gl3r8fy746v9bbwgx4gzn0r2kl-glibc-2.40-66
           Shown below are chains that lead to the forbidden path(s).
           /nix/store/hr8lmmjmd1jk6s3p5ymggyk4am7n2lmb-openssh-10.0p2
           └───/nix/store/ys91ywnwikm14xznwk3cdbprapv2m37z-libfido2-1.16.0
               └───/nix/store/p6r5awz3ywrz66symnrn0xb85xzmcysf-pcsclite-2.3.0-lib
           /nix/store/hr8lmmjmd1jk6s3p5ymggyk4am7n2lmb-openssh-10.0p2
           ├───/nix/store/q4wq65gl3r8fy746v9bbwgx4gzn0r2kl-glibc-2.40-66
           ├───/nix/store/6r4zqb04fq5l5l4zghq76wvcpz7dwd35-linux-pam-1.6.1
           │   ├───/nix/store/q4wq65gl3r8fy746v9bbwgx4gzn0r2kl-glibc-2.40-66
           [...]

[1] NixOS/nix#10877

Co-authored-by: Robert Hensing <robert@roberthensing.nl>
Change-Id: Ib30024c0d9e45c1160bf0134f7d3ba17dbdeff47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thufschmitt thufschmitt Awaiting requested review from thufschmitt

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 is a code owner

1 more reviewer

@cole-h cole-h cole-h left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@Ericson2314 Ericson2314

Labels

documentation error-messages Confusing messages and better diagnostics with-tests Issues related to testing. PRs with tests have some priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@roberth @nixos-discourse @cole-h @Ericson2314