New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Point nix at curl 7.59.0 #41452
Point nix at curl 7.59.0 #41452
Conversation
Well, if 7.60.0 breaks Nix, maybe it breaks other things as well? Perhaps we should just hold off on upgrading to 7.60.0, or is there a particular reason to update? |
The |
👍 for 7.59 for now, bit of info-dump on the subject follows: I've been using 7.59 for a while now for this reason. The problem is that the threaded resolver (on by default) doesn't have a fd to listen on when resolving (unless using c-ares) so things end up waiting the full timeout. I believe our usage of curl is unusual-- but AFAIK not incorrect -- which is how we get impacted by this but others don't. Look at how curl itself leverages the multi API when doing a single "easy" request -- as well as in the various examples-- and among other differences you'll notice they claim one should just sleep 100ms and call again, instead of trusting curl_multi_wait to actually work as we expect it to. Might be worth asking curl folks to take a look at what we're doing. Upstream curl has a commit or two that might help (curl/curl@3e0dee0 is relevant and is a similar problem for the "protocol" state) but curl master doesn't fix this for me. And I haven't debugged this further because Nix+7.60 also seems especially unhappy with our removing of handles from the multi stack when they're possibly already part of an http2 pipeline (I guess?) which has been causing crashing behavior and been what I was focusing on investigating. (crashes might be due to openssl global context badness when forking, but unsure) I was kinda hoping someone somewhere would produce a patch/bug report (I've been checking other distributions and the curl mailing list) but maybe Nix is just that special and other software isn't having problems :(. |
Thanks for the explanation! |
* master: Revert "vinagre: disable format hardening" nix: point at curl 7.59.0 (#41452) vinagre: disable format hardening linux: Add 4.17 gnome3.vinagre: fix build linux-copperhead: 4.16.12.a -> 4.16.13.a julia: add some version info to passthru, will be used by julia2nix gdal: Fix darwin build opendkim: fix libbsd dependency avoid redundant rm calls perlPackages.CPANPLUS: add cpanp dependency plotutils: fix parallel building nixos/gitea: Respect gitea-dump enable option. (#41437) kubernetes: corrected spelling mistake in docs (#41439) python.pkgs.trustme: fix python2 build revert 4a86f8c and properly remove the temporary ssh host keys file/directory.
@orivej that was my finding as well when bisecting! (dtzWill/nix@ba509d8) Sorry for not better communicating findings earlier, but wasn't sure problem wasn't in my setup/environment Thanks for investigating and getting a workaround in place! |
Related upstream issue: curl/curl#2636 (comment) Which at least partially matches what I discovered/reported above regarding our use being considered the issue. (we tell Not sure what the best alternative is, one approach I was exploring is to use a timeout of 100ms whenever we have active requests, and increase the amount (to 10s or whatever) if literally all we're doing is polling on our wakeup pipe. I'm tackling other issues which made this less obviously a "win" but it might do the trick for most folks? (relevant code in Nix, FWIW: https://github.com/NixOS/nix/blob/4ac4f675df3da01b6d814cd328dd3219dd472ac9/src/libstore/download.cc#L482) |
This reverts commit 5574df3. Instead we will use curl 7.60 with c-ares resolver.
My understanding is that upstream recognizes that the threaded resolver is a bit more difficult to use than the blocking and the asynchronous resolvers, and can not change that. (curl/curl#2636 (comment)) I propose that we build Nix with curl with the asynchronous resolver in |
Since curl with c-ares can't support nsswitch plugins (#41609 (comment)), we can not enable c-ares by default. I propose that we just build Nix with curl with blocking resolver, as long as it does not support threaded resolver (#41619). |
This reverts commit 5574df3. I also can't reproduce the problem anymore; discussion: NixOS#41312. Fixes NixOS#53569, fixes NixOS#53948. (Vulnerabilities in old curl.) (cherry picked from commit 51ac3db)
I would consider this a temporary fix until a proper solution for #41312 has been found.
Unfortunately, NixOS on master is rather unusable without reverting the above commit.
Motivation for this change
All nix tools appear to be flaky and run into timeouts with curl 7.60.0
See #41312 for more details
Note that I created a separate
curl/7_59.nix
rather than abstracting the curl derivation to make this "fix" easily removable.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)