Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nix-fast-build.sh: Make sure ssh multiplexing is not used #307

Merged
merged 2 commits into from
Nov 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 53 additions & 52 deletions nix/devshell.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,60 +2,61 @@
# SPDX-License-Identifier: Apache-2.0
{
perSystem =
{ pkgs, ... }:
{ pkgs, inputs', ... }:
{
devShells.default = pkgs.mkShell {
packages = with pkgs; [
azure-cli
git
jq
nix
nix-fast-build
nixfmt-rfc-style
nixos-rebuild
# parallel_env requires 'compgen' function, which is available
# in bashInteractive, but not bash
bashInteractive
parallel
python3.pkgs.black
python3.pkgs.colorlog
python3.pkgs.deploykit
python3.pkgs.invoke
python3.pkgs.pycodestyle
python3.pkgs.pylint
python3.pkgs.tabulate
reuse
sops
ssh-to-age
deploy-rs
wget
(terraform.withPlugins (p: [
# We need to override the azurerm version to fix the issue described
# in https://ssrc.atlassian.net/browse/SP-4926.
# TODO:
# Below override is no longer needed when the azurerm version we
# get from the nixpkgs pinned in ghaf-infra flake includes a fix for
# https://github.com/hashicorp/terraform-provider-azurerm/issues/24444.
# At the time of writing, ghaf-infra flake pins to
# nixos-24.05, that ships with azurerm v3.97.1 which is broken.
# For more information on the available azurerm versions, see:
# https://registry.terraform.io/providers/hashicorp/azurerm.
(p.azurerm.override {
owner = "hashicorp";
repo = "terraform-provider-azurerm";
rev = "v3.85.0";
hash = "sha256-YXVSApUnJlwxIldDoijl72rA9idKV/vGRf0tAiaH8cc=";
vendorHash = null;
})
p.external
p.local
p.null
p.random
p.secret
p.sops
p.tls
]))
];
packages =
(with pkgs; [
azure-cli
git
jq
nix
nixfmt-rfc-style
nixos-rebuild
# parallel_env requires 'compgen' function, which is available
# in bashInteractive, but not bash
bashInteractive
parallel
python3.pkgs.black
python3.pkgs.colorlog
python3.pkgs.deploykit
python3.pkgs.invoke
python3.pkgs.pycodestyle
python3.pkgs.pylint
python3.pkgs.tabulate
reuse
sops
ssh-to-age
deploy-rs
wget
(terraform.withPlugins (p: [
# We need to override the azurerm version to fix the issue described
# in https://ssrc.atlassian.net/browse/SP-4926.
# TODO:
# Below override is no longer needed when the azurerm version we
# get from the nixpkgs pinned in ghaf-infra flake includes a fix for
# https://github.com/hashicorp/terraform-provider-azurerm/issues/24444.
# At the time of writing, ghaf-infra flake pins to
# nixos-24.05, that ships with azurerm v3.97.1 which is broken.
# For more information on the available azurerm versions, see:
# https://registry.terraform.io/providers/hashicorp/azurerm.
(p.azurerm.override {
owner = "hashicorp";
repo = "terraform-provider-azurerm";
rev = "v3.85.0";
hash = "sha256-YXVSApUnJlwxIldDoijl72rA9idKV/vGRf0tAiaH8cc=";
vendorHash = null;
})
p.external
p.local
p.null
p.random
p.secret
p.sops
p.tls
]))
])
++ [ inputs'.nix-fast-build.packages.default ];
};
};
}
11 changes: 10 additions & 1 deletion scripts/nix-fast-build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,21 @@ nix_fast_build () {
[ "$DEBUG" = "true" ] && set -x
echo ""
echo "[+] $(date +"$tfmt") Start: nix-fast-build '$target'"
# Do not use ssh ControlMaster as it might cause issues with
# nix-fast-build the way we use it. SSH multiplexing needs to be disabled
# both by exporting `NIX_SSHOPTS` and `--remote-ssh-option` since
# `--remote-ssh-option` only impacts commands nix-fast-build invokes
# on remote over ssh. However, some nix commands nix-fast-build runs
# locally (e.g. uploading sources) internally also make use of ssh. Thus,
# we need to export the relevant option in `NIX_SSHOPTS` to completely
# disable ssh multiplexing:
export NIX_SSHOPTS="-o ControlMaster=no"
# shellcheck disable=SC2086 # intented word splitting of $OPTS
nix-fast-build \
--flake "$target" \
--eval-workers 4 \
--option verbose 1 \
--option accept-flake-config true \
--remote-ssh-option ControlMaster no \
--remote-ssh-option StrictHostKeyChecking no \
--remote-ssh-option UserKnownHostsFile /dev/null \
--remote-ssh-option ConnectTimeout 10 \
Expand Down