stdenv: don't preserve ownership information in defaultUnpack hook

[rski]

-p preserves permission,mode,timestamps.

When trying to copy with permission on NFS, it can fail;

The closest documentation I found on this was:

https://access.redhat.com/solutions/725513

One suggestion is to change the netapp configuration, but another that should work for everyone is to use the cp command presented in this patch.

With this, builds on nfs work for me. I however cannot say that I'm certain that removing the permission preservation won't cause any other troubles elsewhere, e.g. by perhaps introducing some sort of non-determinism.

See #244331

Example errors include:

@nix { "action": "setPhase", "phase": "unpackPhase" }
unpacking sources
unpacking source archive /nix/store/lpmhj0fh1ww4zby35m4lfvnq0sm60jfd-source
cp: preserving permissions for 'source/.gitignore': Operation not supported
cp: preserving permissions for 'source/README.md': Operation not supported

do not know how to unpack source archive /nix/store/lpmhj0fh1ww4zby35m4lfvnq0sm60jfd-source

and

      > Cannot copy /nix/store/49v7a7ali88cgdkfn1l9i1shz0a9lmxf-source to source: destination already exists!
       > Did you specify two "srcs" with the same "name"?
       > do not know how to unpack source archive /nix/store/49v7a7ali88cgdkfn1l9i1shz0a9lmxf-source

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[jsoo1]

One request: can you add an example error message to the PR description or commit message, please?

[rski]

One request: can you add an example error message to the PR description or commit message, please?

done

[tobim]

Can you explain your use-case for this change? Are you actually creating build sandboxes on NFS or do you need this for manually running unpackPhase while working on certain packages?

[rski]

doesn't seem to actually work, I'll close this until i figure out something that does :(

[rski]

Can you explain your use-case for this change? Are you actually creating build sandboxes on NFS or do you need this for manually running unpackPhase while working on certain packages?

My entire nix store is on nfs. So whenever I run nix build and something doesn't hit the cache, defaultUnpack might be called which results in this. Usually it's due to running home-manager with overrides or extra derivations of my own

[philiptaron]

As a distributed filesystems engineer, the root cause for this failure you're experiencing almost certainly resides somewhere between your NFS server and its configuration and the mount options on your NFS client. An NFS server, properly mounted, should absolutely be able to hold all the permissions that cp -p is copying, and doubly so for the Nix store, which is world-readable without making use of the sticky bit or setuid/setgid bits.

In particular, you're likely experiencing a problem caused by attempting to set ownership (chown/chgrp) without having the permissions to do so.

[tobim]

Maybe your source has some acls that cannot be set at the destination? Does this SO answer match your problem: https://serverfault.com/a/281292?

[aelbarkani]

I have the same problem with Ceph storage (both CephFS and RBD), so it's not only NFS I think.

[aelbarkani]

btw @rski tried the commands you proposed in this PR and it seems to be working in my environment (OpenShift containers with SELinux enabled and high constraints on security wtih Ceph volumes mounted, CephFS in this case):

# 1000990000 @ workspaceaf516e039e6f4aff-665db5bb48-rjcwg in /projects/project on git:init x [19:29:01] 
$ cp -pr --reflink=auto -- pyproject.toml pyproject.toml.test
cp: Operation not supported (os error 95)

# 1000990000 @ workspaceaf516e039e6f4aff-665db5bb48-rjcwg in /projects/project on git:init x [19:29:26] C:1
$ cp -pr --reflink=auto pyproject.toml pyproject.toml.test 
cp: Operation not supported (os error 95)

# 1000990000 @ workspaceaf516e039e6f4aff-665db5bb48-rjcwg in /projects/project on git:init x [19:30:06] C:1
$ cp -pr --reflink=auto -- pyproject.toml pyproject.toml.test
cp: Operation not supported (os error 95)

# 1000990000 @ workspaceaf516e039e6f4aff-665db5bb48-rjcwg in /projects/project on git:init x [19:30:12] C:1
$ cp -pr -- pyproject.toml pyproject.toml.test 
cp: Operation not supported (os error 95)

# 1000990000 @ workspaceaf516e039e6f4aff-665db5bb48-rjcwg in /projects/project on git:init x [19:30:17] C:1
$ cp -p -- pyproject.toml pyproject.toml.test 
cp: Operation not supported (os error 95)

# 1000990000 @ workspaceaf516e039e6f4aff-665db5bb48-rjcwg in /projects/project on git:init x [19:30:21] C:1
$ cp -r --preserve=mode,timestamps --reflink=auto -- pyproject.toml pyproject.toml.test

I'm going to try to reproduce in a Nix flake.

[philiptaron]

From the GNU coreutils manual:

Using --preserve with no attributes listed is equivalent to --preserve=mode,ownership,timestamps.

Thus, what this patch drops is --preserve=ownership.

Since the contents in the Nix store do not need ownership (they are owned by root), I think this is a fine patch to take.

[philiptaron]

I plan on merging this sometime today unless there are big objections.