Skip to content

fix(nix): make flake checks hermetic#1958

Open
elezar wants to merge 1 commit into
NVIDIA:sscatton/nix-add-build-with-cranefrom
elezar:nix-flake-check-fixes/elezar
Open

fix(nix): make flake checks hermetic#1958
elezar wants to merge 1 commit into
NVIDIA:sscatton/nix-add-build-with-cranefrom
elezar:nix-flake-check-fixes/elezar

Conversation

@elezar

@elezar elezar commented Jun 18, 2026

Copy link
Copy Markdown
Member

Summary

Make nix flake check pass on the Darwin builder by removing two host-environment assumptions exposed by hermetic Nix checks.

Related Issue

None.

Changes

  • Add lsof to openshell-core Nix check inputs because the port availability test asserts cross-family listener detection through lsof.
  • Move the VM gvproxy fallback socket directory from shared /tmp/osd-gv to per-user /tmp/openshell-<uid>/osd-gv when XDG_RUNTIME_DIR is absent, preserving ownership checks while avoiding cross-user temp-dir collisions.

Context

On this system, lsof existed on the host at /usr/sbin/lsof, but it was not present inside the Nix test derivation. The production port check treats missing lsof as no listener data, so the IPv6 wildcard listener test failed until pkgs.lsof was declared.

The VM driver also fell back to /tmp/osd-gv. In the Nix sandbox that directory already existed with uid 502, while the builder ran as uid 355. The existing ownership guard correctly rejected it. Using a uid-scoped fallback keeps the safety property and makes the path hermetic for multi-user and Nix builds.

Testing

  • nix build .#checks.aarch64-darwin.openshell-core-test --print-build-logs
  • nix build .#checks.aarch64-darwin.openshell-driver-vm-test --print-build-logs
  • nix build .#checks.aarch64-darwin.rustfmt --print-build-logs
  • nix build .#checks.aarch64-darwin.openshell-driver-vm-clippy --print-build-logs
  • nix flake check
  • mise run pre-commit passes: mise is unavailable in this shell (zsh: command not found: mise)
  • E2E tests added/updated: not applicable

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@elezar
fix(nix): make flake checks hermetic
0fffb47 
Signed-off-by: Evan Lezar <elezar@nvidia.com>
@elezar elezar added the gator:in-review Gator is reviewing or awaiting PR review feedback label Jun 23, 2026
@elezar

elezar commented Jun 23, 2026

Copy link
Copy Markdown
Member Author

gator-agent

PR Review Status

Validation: this maintainer-authored PR is project-valid because it is a concentrated Nix/check hermeticity and VM runtime socket-path fix.
Head SHA: 0fffb47a244cf3f79b3e7e77d2ea974193702f78

Review findings:

  • Blocking: crates/openshell-driver-vm/src/runtime.rs creates a predictable fallback parent under /tmp (/tmp/openshell-<uid>) but only validates the final osd-gv child. Another local user can pre-create the parent and retain control over rename/delete/replace races around the child socket directory. Please validate/create the fallback parent itself with the same owner, symlink, directory, and mode checks, and avoid create_dir_all() across unvalidated intermediate components. This is a CWE-377/CWE-367 class issue.
  • Warning: add focused coverage for fallback parent creation and secure directory mode/ownership where practical.

Docs: no Fern docs update is required; this is build hermeticity and internal runtime path hardening.

Next state: gator:in-review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

No one assigned

Labels

gator:in-review Gator is reviewing or awaiting PR review feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elezar