cat

On one of my NixOS machines, I stopped being able to run nix-shell without root for some reason. I've tried a few things I've found googling and searching on the forums here, but nothing has worked so far. The other NixOS machine I don't have this issue.

Issue

If I try to use nix-shell -p somePackage and somePackage isn't in the store yet, it fails with "error opening lock file ... Read-only filesystem.

If I then go sudo nix-shell -p somePackage it runs fine.

Then after having made a shell with sudo, I'm able then able to open nix-shells with somePackage without needing root.

Example

cat@beppo ~> nix-shell -p xcaddy                                                                                                         
error:                                                                                                                                   
       … while calling the 'derivationStrict' builtin                                                                                    
                                                                                                                                         
         at /builtin/derivation.nix:9:12: (source not available)                                                                         
                                                                                                                                         
       … while evaluating derivation 'shell'                                                                                             
         whose name attribute is located at /nix/store/27gmaqdprq2g8xrgk9jkp691qykb9c4s-nixos-24.05/nixos/pkgs/stdenv/generic/make-deriva
tion.nix:331:7                                                                                                                           
                                                                                                                                         
       … while evaluating attribute 'buildInputs' of derivation 'shell'                                                                  
                                                                                                                                         
         at /nix/store/27gmaqdprq2g8xrgk9jkp691qykb9c4s-nixos-24.05/nixos/pkgs/stdenv/generic/make-derivation.nix:378:7:                 
                                                                                                                                         
          377|       depsHostHost                = elemAt (elemAt dependencies 1) 0;                                                     
          378|       buildInputs                 = elemAt (elemAt dependencies 1) 1;                                                     
             |       ^                                                                                                                   
          379|       depsTargetTarget            = elemAt (elemAt dependencies 2) 0;                                                     
                                                                                                                                         
       (stack trace truncated; use '--show-trace' to show the full trace)                                                                
                                                                                                                                         
       error: opening lock file '/nix/store/dpshf2nsmygnd54df7ncq47c7rmrbjf7-inject_version_info.diff.lock': Read-only file system

Then with root:

cat@beppo ~> sudo nix-shell -p xcaddy
this path will be fetched (1.11 MiB download, 3.41 MiB unpacked):
  /nix/store/8grfa8lbq1lf0wxnhaxgfqmmcddhh6jy-xcaddy-0.4.2
copying path '/nix/store/8grfa8lbq1lf0wxnhaxgfqmmcddhh6jy-xcaddy-0.4.2' from 'https://cache.nixos.org'...

[nix-shell:/home/cat]# which xcaddy
/nix/store/8grfa8lbq1lf0wxnhaxgfqmmcddhh6jy-xcaddy-0.4.2/bin/xcaddy

Now again without root, but successfully:

cat@beppo ~> nix-shell -p xcaddy

[nix-shell:~]$ which xcaddy
/nix/store/8grfa8lbq1lf0wxnhaxgfqmmcddhh6jy-xcaddy-0.4.2/bin/xcaddy

System Info (broken machine)

system info:

cat@beppo ~> nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.9.3, NixOS, 24.05 (Uakari), 24.05.984.0b8e7a1ae5a9`
 - multi-user?: `no`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"nixos-24.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

mount info:

cat@beppo ~> sudo findmnt -A -R &| tee mounts.txt
TARGET                          SOURCE                                                                                            FSTYPE     OPTIONS
/                               /dev/sdc:/dev/sda:/dev/sdb:/dev/sdd:/dev/sde:/dev/nvme1n1:/dev/nvme2n1:/dev/nvme0n1p2             bcachefs   rw,noatime,metadata_replicas=2,data_replicas=2,compression=lz4,foreground_target=ssd,background_target=hdd,promote_target=ssd,nojournal_transaction_names
├─/dev                          devtmpfs                                                                                          devtmpfs   rw,nosuid,size=6587852k,nr_inodes=16463976,mode=755
│ ├─/dev/pts                    devpts                                                                                            devpts     rw,nosuid,noexec,relatime,gid=3,mode=620,ptmxmode=666
│ ├─/dev/shm                    tmpfs                                                                                             tmpfs      rw,nosuid,nodev
│ ├─/dev/mqueue                 mqueue                                                                                            mqueue     rw,nosuid,nodev,noexec,relatime
│ └─/dev/hugepages              hugetlbfs                                                                                         hugetlbfs  rw,nosuid,nodev,relatime,pagesize=2M
├─/proc                         proc                                                                                              proc       rw,nosuid,nodev,noexec,relatime
├─/run                          tmpfs                                                                                             tmpfs      rw,nosuid,nodev,size=32939260k,mode=755
│ ├─/run/keys                   ramfs                                                                                             ramfs      rw,nosuid,nodev,relatime,mode=750
│ ├─/run/wrappers               tmpfs                                                                                             tmpfs      rw,nodev,relatime,mode=755
│ └─/run/user/1000              tmpfs                                                                                             tmpfs      rw,nosuid,nodev,relatime,size=13175704k,nr_inodes=3293926,mode=700,uid=1000,gid=999
├─/sys                          sysfs                                                                                             sysfs      rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security        securityfs                                                                                        securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup              cgroup2                                                                                           cgroup2    rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot
│ ├─/sys/fs/pstore              pstore                                                                                            pstore     rw,nosuid,nodev,noexec,relatime
│ ├─/sys/firmware/efi/efivars   efivarfs                                                                                          efivarfs   rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/bpf                 bpf                                                                                               bpf        rw,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/kernel/debug           debugfs                                                                                           debugfs    rw,nosuid,nodev,noexec,relatime
│ │ └─/sys/kernel/debug/tracing tracefs                                                                                           tracefs    rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/fuse/connections    fusectl                                                                                           fusectl    rw,nosuid,nodev,noexec,relatime
│ └─/sys/kernel/config          configfs                                                                                          configfs   rw,nosuid,nodev,noexec,relatime
├─/nix/store                    /dev/sdc:/dev/sda:/dev/sdb:/dev/sdd:/dev/sde:/dev/nvme1n1:/dev/nvme2n1:/dev/nvme0n1p2[/nix/store] bcachefs   ro,noatime,metadata_replicas=2,data_replicas=2,compression=lz4,foreground_target=ssd,background_target=hdd,promote_target=ssd,nojournal_transaction_names
└─/boot                         /dev/nvme0n1p1                                                                                    vfat       rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro

System info (working machine without this issue)

for comparison, here's the system info and mounts for my machine without the issue:

cat@bippo ~> nix-shell -p xcaddy
 - system: `"x86_64-linux"`
 - host os: `Linux 6.9.3, NixOS, 24.05 (Uakari), 24.05.984.0b8e7a1ae5a9`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - channels(root): `"nixos-24.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

TARGET                          SOURCE                                                    FSTYPE          OPTIONS
/                               /dev/sda:/dev/sdb:/dev/nvme0n1p2:/dev/nvme1n1             bcachefs        rw,noatime,compression=lz4,foreground_target=ssd,background_target=hdd,promote_target=ssd
├─/dev                          devtmpfs                                                  devtmpfs        rw,nosuid,size=1622720k,nr_inodes=4053346,mode=755
│ ├─/dev/pts                    devpts                                                    devpts          rw,nosuid,noexec,relatime,gid=3,mode=620,ptmxmode=666
│ ├─/dev/shm                    tmpfs                                                     tmpfs           rw,nosuid,nodev,size=16227200k
│ ├─/dev/mqueue                 mqueue                                                    mqueue          rw,nosuid,nodev,noexec,relatime
│ └─/dev/hugepages              hugetlbfs                                                 hugetlbfs       rw,nosuid,nodev,relatime,pagesize=2M
├─/proc                         proc                                                      proc            rw,nosuid,nodev,noexec,relatime
├─/run                          tmpfs                                                     tmpfs           rw,nosuid,nodev,size=8113600k,mode=755
│ ├─/run/keys                   ramfs                                                     ramfs           rw,nosuid,nodev,relatime,mode=750
│ ├─/run/wrappers               tmpfs                                                     tmpfs           rw,nodev,relatime,size=16227200k,mode=755
│ └─/run/user/1000              tmpfs                                                     tmpfs           rw,nosuid,nodev,relatime,size=3245436k,nr_inodes=811359,mode=700,uid=1000,gid=998
│   ├─/run/user/1000/gvfs       gvfsd-fuse                                                fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=998
│   └─/run/user/1000/doc        portal                                                    fuse.portal     rw,nosuid,nodev,relatime,user_id=1000,group_id=998
├─/sys                          sysfs                                                     sysfs           rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security        securityfs                                                securityfs      rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup              cgroup2                                                   cgroup2         rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot
│ ├─/sys/fs/pstore              pstore                                                    pstore          rw,nosuid,nodev,noexec,relatime
│ ├─/sys/firmware/efi/efivars   efivarfs                                                  efivarfs        rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/bpf                 bpf                                                       bpf             rw,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/kernel/debug           debugfs                                                   debugfs         rw,nosuid,nodev,noexec,relatime
│ │ └─/sys/kernel/debug/tracing tracefs                                                   tracefs         rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/fuse/connections    fusectl                                                   fusectl         rw,nosuid,nodev,noexec,relatime
│ └─/sys/kernel/config          configfs                                                  configfs        rw,nosuid,nodev,noexec,relatime
├─/nix/store                    /dev/sda:/dev/sdb:/dev/nvme0n1p2:/dev/nvme1n1[/nix/store] bcachefs        ro,noatime,compression=lz4,foreground_target=ssd,background_target=hdd,promote_target=ssd
└─/boot                         /dev/nvme0n1p1                                            vfat            rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro

Thank you! Please let me know if you have additional questions I can answer or ideas of things I can try!

#NixOS #nix #linux #Technical Support #help me linux hotties

You must log in to comment.

in reply to @catball's post:

ruby @srxl6/7/2024, 11:39 PM

...is the nix daemon running (systemctl status nix-daemon)? i don't think i've ever seen a non-multi-user nixos install, that's really weird. the fact that it's not multi-user explains the issue, since all tools would be trying to touch the nix store as the user running nix-shell, instead of the user running the nix daemon (ie. root)

cat @catball6/7/2024, 11:46 PM

oh weird! I don't know why / how it's a non-multi-user install. I did do a manual install from the non-graphical installer, maybe I somehow dinked that up.

Regarding nix daemon-- it's not presently running and looks like it's socket-activated on broken machine:

~> sudo systemctl status nix-daemon
○ nix-daemon.service - Nix Daemon
     Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; preset: enabled)
    Drop-In: /nix/store/5j5zlrdqy94q391isb1r00yhdrfadj08-system-units/nix-daemon.service.d
             └─overrides.conf
     Active: inactive (dead)
TriggeredBy: ● nix-daemon.socket
       Docs: man:nix-daemon
             https://nixos.org/manual

on working machine it's actively running like a daemon:

~> sudo systemctl status nix-daemon
● nix-daemon.service - Nix Daemon
     Loaded: loaded (/etc/systemd/system/nix-daemon.service; linked; preset: enabled)
    Drop-In: /nix/store/6jzsp6r77hfxhf04ajzijn446x5bzrlf-system-units/nix-daemon.service.d
             └─overrides.conf
     Active: active (running) since Thu 2024-06-06 20:10:04 PDT; 20h ago
TriggeredBy: ● nix-daemon.socket
       Docs: man:nix-daemon
             https://nixos.org/manual
   Main PID: 2894502 (nix-daemon)
         IP: 1.1M in, 28.2K out
         IO: 27.1M read, 1.4M written
      Tasks: 2 (limit: 1048576)
     Memory: 16.3M (peak: 28.0M)
        CPU: 5.409s
     CGroup: /system.slice/nix-daemon.service
             └─2894502 nix-daemon --daemon

Jun 07 15:36:00 bippo nix-daemon[2894502]: accepted connection from pid 2908639, user cat
Jun 07 15:36:01 bippo nix-daemon[2894502]: accepted connection from pid 2909126, user cat
Jun 07 16:09:05 bippo nix-daemon[2894502]: accepted connection from pid 2910005, user cat
Jun 07 16:09:06 bippo nix-daemon[2894502]: accepted connection from pid 2910966, user cat
Jun 07 16:09:07 bippo nix-daemon[2894502]: accepted connection from pid 2911454, user cat
Jun 07 16:09:07 bippo nix-daemon[2894502]: accepted connection from pid 2911940, user cat
Jun 07 16:09:23 bippo nix-daemon[2894502]: accepted connection from pid 2912474, user cat
Jun 07 16:09:24 bippo nix-daemon[2894502]: accepted connection from pid 2913436, user cat
Jun 07 16:09:24 bippo nix-daemon[2894502]: accepted connection from pid 2913924, user cat
Jun 07 16:09:25 bippo nix-daemon[2894502]: accepted connection from pid 2914410, user cat

good insight!!

ruby @srxl6/7/2024, 11:48 PM

yeah it's meant to be socket activated, but the fact that is isn't running is definitely a problem. anything stand out in journalctl logs for it?

cat @catball6/7/2024, 11:49 PM

it looks like the log on the broken machine is completely empty, so I'm guessing it's not activating ever or something?

reading about multi-user mode now https://nix.dev/manual/nix/2.18/installation/multi-user.html

ruby @srxl6/7/2024, 11:54 PM

huh. that's getting out of my wheelhouse tbh. at this point i'd reinstall (if that's an option) and cross my fingers. maybe someone else would know more here

cat @catball6/7/2024, 11:56 PM

that sounds reasonable! when I'm back home (i'm at my gf's house poking it over ssh), I'll probably just reinstall, and maybe read some more about it in the meantime

Neral @neral6/8/2024, 12:35 AM

having never encountered this or anything like it and thus merely guessing:

i'd check the permissions on /nix/var/nix/daemon-socket and everything in the directories above it. on my system, the daemon socket is root:root owned with 0666 permissions (rw to all) and the directories above are root:root 0755

you can check to see if your user can ping the daemon with nix doctor and/or nix store ping --store daemon (may need --extra-experimental-features nix-command if not enabled). on my system, doctor returns identical output as root/non-root, while nix store ping --store daemon includes "Trusted: 0" on my user while being "Trusted: 1" as root

if the thing isn't working at all, sudo systemctl status nix-daemon.socket might also be enlightening, or maybe totally useless, idk

gabby @fullmoon6/8/2024, 2:37 PM

I'm not sure, but what I do know is that it's normal for the /nix/store to be mounted read-only most of the time when using multi-user Nix (it's a defense-in-depth security precaution that Nix takes) . What happens in multi-user Nix is that whenever you perform an operation on the Nix store the nix-daemon temporarily remounts the /nix/store to be read-write and then when the operation is done it remounts the /nix/store read-only to protect against further tampering.

What's not clear to me is why this is no longer working for you when you run nix-shell. My best guess is that (for some inexplicable reason) the nix-shell command is not running in multi-user mode, because if that were the case then it would try to modify the /nix/store directly (instead of going through the nix-daemon) and you'd see exactly that same problem.

Usually the way the way the Nix CLI checks to see if it should use multi-user mode is if the NIX_REMOTE environment variable is set to daemon. See:

https://nix.dev/manual/nix/2.22/installation/multi-user.html?highlight=NIX_REMOTE#running-the-daemon

You should check the value of that environment variable. However, if that were the problem I'd expect other Nix commands to fail in the same way (not just nix-shell).