Distributed build: Difference between revisions
Malteneuss (talk | contribs) Fix typo |
Malteneuss (talk | contribs) m Make ssh access table more beginner friendly |
||
Line 9: | Line 9: | ||
The main tool to connect to a remote builder, exchange files and trigger builds is SSH. | The main tool to connect to a remote builder, exchange files and trigger builds is SSH. | ||
Depending on how you installed the [https://nixos.org/download/ Nix package manager], | |||
* '''"multi-user"''' (system-wide installation; default on NixOS, normal case for most private Linux distro users) or | |||
* '''"single-user"''' (installed only for a single user on the machine; used when no root/admin rights were available for the user), | |||
on your local and remote machine you need to allow a certain local SSH user (on your local machine) to connect to a certain remote SSH user (on the remote machine): | |||
{| class="wikitable" style="margin:auto" | {| class="wikitable" style="margin:auto" | ||
|- | |- | ||
! Local Machine ! | ! Nix Installation | ||
Local Machine | |||
! Nix Installation | |||
Remote Builder | |||
! SSH Connection Requirements | |||
|- | |- | ||
| | | '''Multi-user''' || '''Multi-user''' || '''Local''' machine's {{ic|root}} user needs SSH access to ''a'' user on the '''remote''' machine. '''(most frequent case)''' | ||
|- | |- | ||
| Single-user | | Single-user || Multi-user || ''Your'' user on your '''Local''' machine needs SSH access to ''a'' user on the '''remote''' machine. | ||
|- | |- | ||
| | | Multi-user || Single-user || '''Local''' machine's {{ic|root}} user needs SSH access to the user on the '''remote''' machine, with Nix installed with their UID (see [https://nixos.org/manual/nix/stable/installation/single-user.html Nix manual page]). | ||
|- | |- | ||
| Single-user | | Single-user || Multi-user || ''Your'' user on your '''Local''' machine needs SSH access to the user on the '''remote''' machine, with Nix installed with their UID (see [https://nixos.org/manual/nix/stable/installation/single-user.html Nix manual page]). | ||
|} | |} | ||
In any case, the | The thing to know about the '''"Multi-user"''' installation is that '''Nix is installed with a "nix-daemon" background process that runs as root''' and actually manages the builds on your behalf. So when your non-root user calls '''"nix build ...", this is delegated to the nix-daemon''' process, which runs as root. And this process can further delegate the build to a remote builder; that's why the '''local machine's root user''' needs the SSH access. | ||
In any case, the good test for Nix SSH access, that takes this into account, is: | |||
{{Commands|nix store ping --store ssh://<REMOTE-BUILDER>}} | {{Commands|nix store ping --store ssh://<REMOTE-BUILDER>}} |
Revision as of 13:52, 9 May 2024
When your local machine is too slow or doesn't have the right CPU architecture or operating system for the Nix derivation you want to build, you can delegate the build to some other remote machine. You only need SSH access to the remote machine and both machines need to have the Nix package manager installed; the remote machine doesn't need to run NixOS, any Linux distro like Debian, Ubuntu, Arch or others where Nix can be installed, should work.
There is a dedicated chapter in the Nix Manual but it may be difficult to follow for beginners.
This is an easier, step-by-step guide to setting up a "remote builder" machine to create distributed builds, and includes some SSH tips that are out of scope for the Nix Manual chapter.
Prerequisites
The main tool to connect to a remote builder, exchange files and trigger builds is SSH.
Depending on how you installed the Nix package manager,
- "multi-user" (system-wide installation; default on NixOS, normal case for most private Linux distro users) or
- "single-user" (installed only for a single user on the machine; used when no root/admin rights were available for the user),
on your local and remote machine you need to allow a certain local SSH user (on your local machine) to connect to a certain remote SSH user (on the remote machine):
Nix Installation
Local Machine |
Nix Installation
Remote Builder |
SSH Connection Requirements |
---|---|---|
Multi-user | Multi-user | Local machine's root user needs SSH access to a user on the remote machine. (most frequent case)
|
Single-user | Multi-user | Your user on your Local machine needs SSH access to a user on the remote machine. |
Multi-user | Single-user | Local machine's root user needs SSH access to the user on the remote machine, with Nix installed with their UID (see Nix manual page).
|
Single-user | Multi-user | Your user on your Local machine needs SSH access to the user on the remote machine, with Nix installed with their UID (see Nix manual page). |
The thing to know about the "Multi-user" installation is that Nix is installed with a "nix-daemon" background process that runs as root and actually manages the builds on your behalf. So when your non-root user calls "nix build ...", this is delegated to the nix-daemon process, which runs as root. And this process can further delegate the build to a remote builder; that's why the local machine's root user needs the SSH access.
In any case, the good test for Nix SSH access, that takes this into account, is:
nix store ping --store ssh://<REMOTE-BUILDER>
Where <REMOTE-BUILDER>
is the remote builder's IP address, host address or whatever name you configure in ~/.ssh/config
or /root/.ssh/config
, including the user@
prefix.
An alternative check is:
ssh <REMOTE-BUILDER> 'type nix-store'
The following sections guide you how to setup such authentication, with security in mind, and maximal comfort, assuming basic knowledge about SSH authentication keys.
General best practices
It is recommended to not allow root
access to the remote machine, even if only via an SSH public/private key pair. Especially because it's not required in any of the 4 scenarios described in the table above.
In all of the cases above it is recommended to create an SSH public / private key pair without a passphrase, so that you won't have to run ssh-add
along with ssh-agent
prior to using the remote builder. When the local machine has NixOS / System-wide installation of Nix you'd probably need to spawn eval $(ssh-agent)
while you are logged in as root
. Not using a passphrase for the SSH key allows other users to enjoy the remote builder.
Since the access to the remote machine doesn't have to be privileged, you can choose to login to a weakly privileged, and password-locked user on the remote machine, which may help you feel comfortable with the fact root
can access it without a passphrase.
When the remote machine doesn't have NixOS / System-wide Nix installation, the only option is to allow access without passphrase and with an SSH key to the user with Nix installed for them.
Recommended System-wide Nix –> System-wide Nix setup
For the common case where your local Nix is installed system-wide, create a user on the remote machine that will have an unwriteable home directory, with a ~/.ssh/authorized_keys
in it, that will allow SSH access to that user without a passphrase. The steps are:
- ssh
to the remote builder.
- Run (requires privileges) useradd -m -L nixremote
where -L
locks the user such that nobody will be able to su
to it, and -m
makes sure a home directory is created for the nixremote
user.
- Run (requires privileges) mkdir ~nixremote/.ssh
.
If your remote builder has Nix installed system-wide, but without NixOS, you may need to add something like the following to your /etc/ssh/sshd_config
:
/etc/ssh/sshd_config
SetEnv PATH=/nix/var/nix/profiles/default/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
So that straight away when logging in, your $PATH
will include nix' executables' directory.
Then, on your local machine, create the private / public key pair without a passphrase, as root:
# ssh-keygen -f /root/.ssh/nixremote
Copy the contents of /root/.ssh/nixremote.pub
from your local machine to the remote builder ~nixremote/.ssh/authorized_keys
.
Then to further harden the setup, remove write permissions from everyone on the remote host's nixremote
home directory:
# chmod -R a-w ~nixremote
Now you want to make it easy for root
on your local machine to connect to nixremote@builder
. You can do that by creating the following /root/.ssh/config
on the local machine:
/root/.ssh/config
Host builder # Replace by IP address, or add a ProxyCommand, see `man ssh_config` for full docs.
# Prevent using ssh-agent or another keyfile, useful for testing
IdentitiesOnly yes
IdentityFile /root/.ssh/nixremote
# The weakly privileged user on the remote builder – if not set, 'root' is used – which will hopefully fail
User nixremote
You may also want to make nix on the remote machine trust that new user by adding it to nix.settings.trusted-users
if it's using NixOS, or by manually adding trusted-users = nixremote
to /etc/nix/nix.conf
.
You may also want to tell Nix on your local machine that the remote builder is available, and tell it what are its supported features (see missing nix documentation issue). If your local machine uses NixOS, you can use the documented nix.buildMachines
NixOS option.
Here's an example NixOS configuration that may be a useful inspiration:
/etc/nixos/configuration.nix
{ config, pkgs, ... }:
{
# You can see the resulting builder-strings of this NixOS-configuration with "cat /etc/nix/machines".
# These builder-strings are used by the Nix terminal tool, e.g.
# when calling "nix build ...".
nix.buildMachines = [{
# Will be used to call "ssh builder" to connect to the builder machine.
# The details of the connection (user, port, url etc.)
# are taken from your "~/.ssh/config" file.
hostName = "builder";
# CPU architecture of the builder, and the operating system it runs.
# Replace the line by the architecture of your builder, e.g.
# - Normal Intel/AMD CPUs use "x86_64-linux"
# - Raspberry Pi 4 and 5 use "aarch64-linux"
# - M1, M2, M3 ARM Macs use "aarch64-darwin"
# - Newer RISCV computers use "riscv64-linux"
# If your builder supports multiple architectures
# (e.g. search for "binfmt" for emulation),
# you can list them all, e.g. replace with
# systems = ["x86_64-linux" "aarch64-linux" "riscv64-linux"];
system = "x86_64-linux";
protocol = "ssh-ng";
# default is 1 but may keep the builder idle in between builds
maxJobs = 3;
# how fast is the builder compared to your local machine
speedFactor = 2;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ];
}];
# required, otherwise remote buildMachines above aren't used
nix.distributedBuilds = true;
# optional, useful when the builder has a faster internet connection than yours
nix.extraOptions = ''
builders-use-substitutes = true
'';
}
Remote builders' features
Each builder is declared with a set of supportedFeatures
.
When a builder lacks one of the requiredSystemFeatures
of a derivation, it will be ignored. Here are some features used in nixpkgs:
Feature | Derivations requiring it |
---|---|
kvm
|
Everything which builds inside a vm, like NixOS tests |
nixos-test
|
Machine can run NixOS tests |
big-parallel
|
kernel config, libreoffice, evolution, llvm and chromium |
benchmark
|
Machine can generate metrics (means the builds usually takes the same amount of time) |
Non-standard Nix installations
If you are not root on the remote builder and have used nix-user-chroot or PRoot to install nix there (see Nix Installation Guide) then nix is not available on the PATH of the remote builder. We describe a solution for nix-user-chroot which is easily adapted to PRoot.
- Create a script
~/bin/nix_wrapper.sh
as follows:
#!/bin/sh
exec ~/bin/nix-user-chroot ~/.nix bash -c '
. ~/.nix-profile/etc/profile.d/nix.sh
exec $SSH_ORIGINAL_COMMAND
'
Of course, adapt this script to the location of the store and nix-user-chroot. Make the script executable.
- In
~/.ssh/authorized_keys
, locate the line corresponding to~/.ssh/nixremote.pub
and prepend this:command="/home/something/bin/nix_wrapper.sh"
.
Now ssh will transparently run nix-user-chroot when you connect to the remote builder with the specified ssh key.
Using remote builders
Local builder
Your local machine is still a builder, so when connecting to remote builders fails, nix will fall back to building locally.
To never use the local machine, set the max-jobs
nix option to 0:
$ nix-build -j0 blah
Using remote builders as substituters
If you have two remote builders A and B (where A has higher speed than B), if a derivation foo.drv is already built on B, and your local machine needs to build foo.drv, then it will:
- build (possibly remotely) all the build dependencies of foo.drv
- build foo.drv on A
Even if foo.drv is also on A, you will still have to build the build dependencies of foo.drv before sending the build to A, which will build it instantly since it is in cache.
To solve this problem, you can set up your remote builders as substituters. Every time (the local machine's) nix considers building a derivation, it will connect to the remote builders to check whether it is already available there. Here is how to set this up via ssh. See also Binary Cache for an alternative using http and nix-serve.
1. On the remote builder, create a binary cache key:
$ nix-store --generate-binary-cache-key builder-name cache-priv-key.pem cache-pub-key.pem
The private key must be readable only by the user running the build: ??? on multi-user installs, and the owner of /nix on single-user installs.
builder-name
is only here for your convenience to distinguish several public keys, it has no functional meaning.
2. On the remote builder, set up nix to sign all store paths it builds: in the nix configuration (/etc/nix/nix.conf
on multi-user installs and ~/.config/nix/nix.conf
on single user installs), add the following line:
secret-key-files = /path/to/cache-priv-key.pem
If necessary, restart the nix daemon.
3. The previous point does not retroactively sign existing paths in the store of the builder. To do so, run
$ nix sign-paths --all -k /path/to/cache-priv-key.pem
4. In the nix configuration of the local machine, append the content of cache-pub-key.pem
to the option trusted-public-keys
. Also append ssh-ng://builder
to the option substituters
.
If you only want to use the remote builder occasionally as a substituter, use trusted-substituters
instead of substituters
. Then, when you want to use the builder, pass --option extra-substituters ssh-ng://builder
to the nix command you run.
Troubleshooting
- How do I know if I'm distributing my build at all?
- Run
nix build
with--max-jobs 0
.
- Run
- How do I know why my builds aren't being distributed?
- Run
nix build -vvvvvvvvv 2>&1 | less
and search fordecline
.
- Run
- I can
nix store ping
but the build doesn't distribute.- If on NixOS, Check that
nix store ping
command works when run as root. - If you configured builders on the command line (with
--builders
), make sure your account is innix.trustedUsers
in/etc/nixos/configuration.nix
. Only/etc/nix/nix.conf
is taken into account otherwise.
- If on NixOS, Check that
- I can ping the store as root, but I'm getting "broken pipe" errors when trying to distribute.
- You may have hit bug #46038. Add
nix.distributedBuilds = true;
toconfiguration.nix
andnixos-rebuild switch
.
- You may have hit bug #46038. Add