Distributed build: Difference between revisions

Line 116:

To know what features a derivation needs, you can run {{Commands|$ nix show-derivation /nix/store/hash-foo.drv | grep requiredSystemFeatures}}

====Using remote builders as substituters====

If you have two remote builders A and B (where A has higher speed than B), that a derivation foo.drv is already built on B, and that your local machine needs to build foo.drv, then it will:

* build (possibly remotely) all the build dependencies of foo.drv

* build foo.drv on A

Even if foo.drv is 'also' on A, you will still have to build the build dependencies of foo.drv before sending the build to A which will build it instantly since it is in cache.

To solve this problem, you can set up your remote builders as substituters. Every time (the local machine's) nix considers building a derivation, it will connect to the remote builders to check whether it is already available there. Here is how to set this up via ssh. See also [[Binary Cache]] for an alternative using http and nix-serve.

1. On the remote builder, create a binary cache key:

{{bc|

$ nix-store --generate-binary-cache-key builder-name cache-priv-key.pem cache-pub-key.pem

}}

The private key must be readable only by the user running the build: ??? on multi-user installs, and the owner of /nix on single-user installs.

<code>builder-name</code> is only here for your convenience to distinguish several public keys, it has no functional meaning.

2. On the remote builder, set up nix to sign all store paths it builds: in the nix configuration (<code>/etc/nix/nix.conf</code> on multi-user installs and <code>~/.config/nix/nix.conf</code> on single user installs), add the following line

{{bc|

<nowiki>secret-key-files = /path/to/cache-priv-key.pem</nowiki>

}}

If necessary, restart the nix daemon.

3. The previous point does not retroactively sign existing paths in the store of the builder. To do so, run

{{bc|

$ nix sign-paths --all -k /path/to/cache-priv-key.pem

}}

4. In the nix configuration of the local machine, append the content of <code>cache-pub-key.pem</code> to the option <code>trusted-public-keys</code>. Also append <code>ssh-ng://builder</code> to the option <code>substituters</code>.

If you only want to use the remote builder occasionally as a substituter, use <code>trusted-substituters</code> instead of <code>substituters</code>. Then, when you want to use the builder, pass <code>--option extra-substiters ssh-ng://builder</code> to the nix command you run.

== Troubleshooting ==

@@ Line 116: / Line 116: @@
 To know what features a derivation needs, you can run {{Commands|$ nix show-derivation /nix/store/hash-foo.drv | grep requiredSystemFeatures}}
+====Using remote builders as substituters====
+If you have two remote builders A and B (where A has higher speed than B), that a derivation foo.drv is already built on B, and that your local machine needs to build foo.drv, then it will:
+* build (possibly remotely) all the build dependencies of foo.drv
+* build foo.drv on A
+Even if foo.drv is 'also' on A, you will still have to build the build dependencies of foo.drv before sending the build to A which will build it instantly since it is in cache.
+To solve this problem, you can set up your remote builders as substituters. Every time (the local machine's) nix considers building a derivation, it will connect to the remote builders to check whether it is already available there. Here is how to set this up via ssh. See also [[Binary Cache]] for an alternative using http and nix-serve.
+. On the remote builder, create a binary cache key:
+{{bc|
+$ nix-store --generate-binary-cache-key builder-name cache-priv-key.pem cache-pub-key.pem
+}}
+The private key must be readable only by the user running the build: ??? on multi-user installs, and the owner of /nix on single-user installs.
+<code>builder-name</code> is only here for your convenience to distinguish several public keys, it has no functional meaning.
+. On the remote builder, set up nix to sign all store paths it builds: in the nix configuration (<code>/etc/nix/nix.conf</code> on multi-user installs and <code>~/.config/nix/nix.conf</code> on single user installs), add the following line
+{{bc|
+<nowiki>secret-key-files = /path/to/cache-priv-key.pem</nowiki>
+}}
+If necessary, restart the nix daemon.
+. The previous point does not retroactively sign existing paths in the store of the builder. To do so, run
+{{bc|
+$ nix sign-paths --all -k /path/to/cache-priv-key.pem
+}}
+. In the nix configuration of the local machine, append the content of <code>cache-pub-key.pem</code> to the option <code>trusted-public-keys</code>. Also append <code>ssh-ng://builder</code> to the option <code>substituters</code>.
+If you only want to use the remote builder occasionally as a substituter, use <code>trusted-substituters</code> instead of <code>substituters</code>. Then, when you want to use the builder, pass <code>--option extra-substiters ssh-ng://builder</code> to the nix command you run.
 == Troubleshooting ==