Skip to content

restrict-eval is set to true by default #12659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
eureka-cpu opened this issue Mar 14, 2025 · 2 comments
Closed
2 tasks done

restrict-eval is set to true by default #12659

eureka-cpu opened this issue Mar 14, 2025 · 2 comments
Labels
bug

Comments

@eureka-cpu
Copy link

eureka-cpu commented Mar 14, 2025
edited
Loading

Describe the bug

The documentation states that restrict-eval in nix.conf is set to false by default: https://hydra.nixos.org/build/292448195/download/1/manual/command-ref/conf-file.html#conf-restrict-eval, however, I'm running into errors that should only happen if restrict-eval is true. The configuration does not have restrict-eval set at all...

nix-repl> outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.allowed-uris
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.allowed-users
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.auto-optimise-store
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.cores
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.experimental-features
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.extra-platforms
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.extra-sandbox-paths
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.flake-registry
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.gc-keep-derivations
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.gc-keep-outputs
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.max-jobs
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.netrc-file
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.post-build-hook
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.pre-build-hook
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.require-sigs
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.sandbox
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.sandbox-fallback
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.substituters
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.system-features
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.trusted-public-keys
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.trusted-substituters
outputs.nixosConfigurations.dev-vm-hydra-main-01.config.nix.settings.trusted-users

error: access to URI 'github:nix-community/poetry2nix/3c92540611f42d3fb2d0d084a6c694cd6544b609?narHash=sha256-2GOiFTkvs5MtVF65sC78KNVxQSmsxtk0WmV1wJ9V2ck%3D' is forbidden in restricted mode
error: worker error: error:
              … in the right operand of the update (//) operator
                at /nix/store/sk4ga2wy0b02k7pnzakwq4r3jdknda4g-source/default.nix:137:19:
                 136|                 ${key} = (attrs.${key} or { })
                 137|                   // (appendSystem key system ret);

Steps To Reproduce

  1. create a flake configuration
  2. do not set nix.settings.restrict-eval
  3. add an input like github:<something>

Expected behavior

Expected not to see errors about restricted eval mode.

Metadata

nix-env (Nix) 2.24.11

Additional context

Up until this point, the same configuration worked fine, but we bumped to unstable and now restrict-eval is throwing errors even though it is unset. We were able to get past this by adding github: gitlab: to allowed-uris, though I'd assume that setting restrict-eval = false would also work. EDIT: restrict-eval = lib.mkForce false; does not fix it, somehow hydra-eval-jobs is still running in restricted mode.

May also be important to note this is on hydra machines.

Checklist

Add 👍 to issues you find important.
@eureka-cpu eureka-cpu added the bug label Mar 14, 2025
@eureka-cpu
Copy link
Author

eureka-cpu commented Mar 14, 2025
edited
Loading

Relevant breadcrumbs:

@eureka-cpu
Copy link
Author

So this is actually just the intended behavior when using hydra with flakes:

The only solution here is to add prefixes/URIs to allowed-uris.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eureka-cpu