busybox-sandbox-shell: replace pkgsStatic with useMusl

[szlend]

Description of changes

Nix requires a static build of busybox for /bin/sh. However we can't actually use the main busybox derivation for this, because it links against glibc, and glibc is famously difficult to statically link against. For this reason Nix uses busybox-sandbox-shell which is configured to build with musl via pkgsStatic.

However this is not ideal:

• Using pkgsStatic slows down eval time by instantiating another instance of nixpkgs.
• pkgsStatic uses a different stdenv, so we need to bootstrap another compiler just to build busybox. This wastes a ton of time, especially when cross-compiling nix.

The busybox derivation actually supports linking against musl with a useMusl argument, so we don't actually need to use pkgsStatic just to use musl.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[szlend]

Sucessfully built the following platforms:

❯ nix build -L -f . pkgsCross.aarch64-multiplatform.busybox-sandbox-shell; nix-store --query --requisites result
/nix/store/kspcl6xn0vgmrz4xjdla33vzk2ihjs79-busybox-aarch64-unknown-linux-gnu-1.36.1

❯ nix build -L -f . pkgsCross.gnu64.busybox-sandbox-shell; nix-store --query --requisites result
/nix/store/8f374gs3k9glc4rwycgivc1wj1a6n7qz-busybox-x86_64-unknown-linux-gnu-1.36.1

❯ nix build -L -f . pkgsCross.riscv64.busybox-sandbox-shell; nix-store --query --requisites result
/nix/store/7rgj3dy5dd9bkk97m23c8nyi2hi48s51-busybox-riscv64-unknown-linux-gnu-1.36.1

❯ nix build -L -f . pkgsCross.ppc64.busybox-sandbox-shell; nix-store --query --requisites result
/nix/store/z7npv0g76kliin7igcjs23amsd503idk-busybox-powerpc64-unknown-linux-gnuabielfv2-1.36.1

❯ nix build -L -f . pkgsCross.powernv.busybox-sandbox-shell; nix-store --query --requisites result
/nix/store/3w6j46nkg2i85h6mx07vslmx4jxjxm9d-busybox-powerpc64le-unknown-linux-gnu-1.36.1

On loongarch64 we don't have musl available, so it tries to statically link with glibc with expected (bad) results:

❯ nix build -L -f . pkgsCross.loongarch64-linux.busybox-sandbox-shell; nix-store --query --requisites result
/nix/store/z5i8sca0z4wywky6aj78g06rpshd131r-libgcc-loongarch64-unknown-linux-gnu-13.2.0
/nix/store/ak68mapbyn9zpkvmh3a6dqb1k7w6vgnc-glibc-loongarch64-unknown-linux-gnu-2.39-52
/nix/store/r81i6qzi6r6ibgnkv699k90qg93hb3kk-busybox-loongarch64-unknown-linux-gnu-1.36.1

[szlend]

I'm not familiar with bionic, and aarch64-android failed at building compiler-rt-libc-aarch64-unknown-linux-android, so I'm unable to test that platform.

[wolfgangwalther]

Great timing. I had a strange eval failure (for ./outpaths.nix) in #303849, which did involve recursing into busybox-sandbox-shell and then pkgsStatic. Cherry-picking your commit from here, I can finally eval my branch - at least locally, let's see what ofborg does with it.

[wolfgangwalther]

I'm not familiar with bionic, and aarch64-android failed at building compiler-rt-libc-aarch64-unknown-linux-android, so I'm unable to test that platform.

Since pkgsCross.aarch64-android.stdenv.hostPlatform.isGnu is false, you have the same condition for taking musl as it was before. So should be good?

[alyssais]

I'm not even sure it was intentional that this used pkgsStatic in the first place — at least 39769df doesn't include any explanation. @domenkozar I'm guessing you don't remember why you did this five years ago, but wanted to give you a heads up.

[wolfgangwalther]

One thing I'm not sure I understand, yet, is this:

I tried the following:

Suggested change

	useMusl =
	# GNU hosts use glibc which is difficult to statically link against.
	# Prefer musl if the host platform supports it.
	stdenv.hostPlatform.isGnu && lib.meta.availableOn stdenv.hostPlatform musl;
	useMusl = false;

Then tried to build busybox-sandbox-shell on linux. Works fine. The binary is much bigger, because it's linked against glibc.static. But the build succeeds.

There is also #196329 which indicates that nowadays glibc.static is just fine.

Is all of this still required in the first place?

[alyssais]

Well, the question is, which choice is better for users? It sounds like the musl version in, if the glibc one is still much bigger, and there's no other difference between them.

[szlend]

Probably not. Though personally I don't mind using musl that much because /bin/sh is rarely used and it brings the final closure size down as a side benefit.

Imo we don't need to make that decision in this PR.

[wolfgangwalther]

Right. In that case the comment should be adjusted to say that musl is used with the intention of making it minimal, not avoiding glibc. Furthermore, The condition could probably be changed to lib.meta.availableOn stdenv.hostPlatform musl only.

[szlend]

Agree about the comment, but think I would probably still keep isGnu here as this is much less of an issue with other libcs.

If we switch to musl across the board, then we'd probably want to exclude it at least for bionic.

[szlend]

Happy to switch to musl across the board if there is consensus though.

[SuperSandro2000]

bionic is android, right?

Do we even have the sandbox on the other platforms?

[szlend]

Android yeah. busybox-sandbox-shell is only really used on Linux, so we're just talking about variations of Linux, compilers and different cpu architectures here.

[szlend]

FWIW, linking against glibc.static is not even that bad, the binary is only around 1MB in size. The only issue is it references glibc and libgcc from the /nix/store because of string references to zoneinfo, locale, gconv, ld.so.cache and libgcc-*/lib/.

[Ericson2314]

I don't like making a one-off useMusl static hack for just one package (I think we we should delete it, not use it). I also don't like using pkgsStatic and pkgsCross within Nixpkgs. I wonder what option I would like :)

[Ericson2314]

This wastes a ton of time, especially when cross-compiling nix.

This is a GCC problem that is entirely solvable, however. Especially if we make C++ libs optional.

[szlend]

I don't like making a one-off useMusl static hack for just one package (I think we we should delete it, not use it). I also don't like using pkgsStatic and pkgsCross within Nixpkgs. I wonder what option I would like :)

Personally I find pkgsStatic much worse. It's easier to just override one thing (libc) than re-instantiate the entire nixpkgs and hope it evaluates to an equivalent compiler toolchain (and not drift over time). The only real alternative I see is to use glibc.static. But imo useMusl is already a decent improvement.

[szlend]

Alternatively, if you'd like to generalize this, we could add a stdenv adapter to link against musl to pkgs/stdenv/adapters.nix, instead of the useMusl flag. Not sure how that would look like, just throwing it out there as it seems like it's unclear how we want to solve this right now.

[Ericson2314]

Yes, overriding the stdenv passed in (override the C compile to override the libc) would make me feel better.

[szlend]

After playing with this for a bit, I'm not really sure that this is a great idea. While the stdenv adapter does seem to work, I'm not really confident in adding this to the the official list of adapters because I'm not convinced it's going to be applicable to most derivations and just add to the growing list of tech debt. There's also the question of how to override stdenv.hostPlatform.libc properly and whether stdenv.parsed should be adjusted, etc.

useMuslLibc = stdenv: let
  bintools = stdenv.cc.bintools.override { libc = pkgs.musl; };
  cc = stdenv.cc.override { inherit bintools; libc = pkgs.musl; };
  in stdenv.override (old: {
    inherit cc;
    allowedRequisites = null;
    mkDerivationFromStdenv = extendMkDerivationArgs old (args: {
      NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + " -isystem ${pkgs.musl.dev}/include -B${pkgs.musl}/lib -L${pkgs.musl}/lib";
    });
  });

I still think useMusl is preferable to pkgsStatic. It's a really simple zero-dependency package to build and the flag has already been there for years. Though I'm happy to just use the override downstream and close this if there is disagreement.

[wolfgangwalther]

I still think useMusl is preferable to pkgsStatic. It's a really simple zero-dependency package to build and the flag has already been there for years. Though I'm happy to just use the override downstream and close this if there is disagreement.

Fully agree. While useMusl might not be the best solution, it's much better than what we have right now. It also fixes real problems, for example #303849. There doesn't seem to be a good reason to hold this back.

[alyssais]

In #341780 I propose getting rid of uses of pkgsStatic.busybox in the package set across the board. The references shouldn't be a problem, because the requirement is for the binaries to not be dynamically linked, not to be free of references, and the size difference, as pointed out by @szlend, is not big enough to warrant a whole separate toolchain.

[szlend]

The references shouldn't be a problem, because the requirement is for the binaries to not be dynamically linked, not to be free of references

My understanding was that at least for the nix sandbox, the references are a problem.

[wolfgangwalther]

I still think we should go ahead with this PR and merge it. The only objections to it was about useMusl, but this argument already exists and it's merely used here. Whether to change that to a more generic approach or not, can be a question for a different PR. Replacing pkgsStatic and the whole related toolchain here is a good thing regardless.

[wolfgangwalther]

Getting rid of a pkgsStatic reference is a good thing, better than before. Thus, I'd like to merge this.

@szlend could you rebase?

[wolfgangwalther]

Result of nixpkgs-review pr 314845 run on x86_64-linux 1

1 package blacklisted:

• nixos-install-tools

160 packages built:

• appvm
• attic-client
• attic-server
• bower2nix
• bundix
• busybox-sandbox-shell
• busybox-sandbox-shell.debug
• cabal2nix
• cached-nix-shell
• cachix (cachix.bin ,cachix.doc)
• chirpstack-concentratord
• colmena
• common-updater-scripts
• crate2nix
• crystal2nix
• devenv
• disko
• dub-to-nix
• dydisnix
• fusionInventory
• getoptions
• harmonia
• hci
• hercules-ci-agent
• home-manager
• hydra
• hydra.doc
• kcl
• libnixxml
• lix
• lix.debug
• lix.dev
• lix.devdoc
• lix.doc
• lix.man
• lixVersions.lix_2_90
• lixVersions.lix_2_90.debug
• lixVersions.lix_2_90.dev
• lixVersions.lix_2_90.devdoc
• lixVersions.lix_2_90.doc
• lixVersions.lix_2_90.man
• lua51Packages.luarocks-nix
• lua52Packages.luarocks-nix
• lua53Packages.luarocks-nix
• lua54Packages.luarocks-nix
• luajitPackages.luarocks-nix
• luarocks-packages-updater
• luarocks-packages-updater.dist
• nil
• nim_lk
• niv (niv.bin ,niv.data)
• nix (nixVersions.nix_2_24)
• nix-binary-cache
• nix-bundle
• nix-direnv
• nix-du
• nix-eval-jobs
• nix-fast-build
• nix-fast-build.dist
• nix-forecast
• nix-index
• nix-init
• nix-inspect
• nix-pin
• nix-plugin-pijul
• nix-plugins
• nix-prefetch
• nix-prefetch-bzr
• nix-prefetch-cvs
• nix-prefetch-docker
• nix-prefetch-git
• nix-prefetch-hg
• nix-prefetch-scripts
• nix-prefetch-svn
• nix-required-mounts
• nix-required-mounts.dist
• nix-serve
• nix-serve-ng
• nix-template
• nix-unit
• nix-update
• nix-update-source
• nix-update-source.dist
• nix-update.dist
• nix-visualize
• nix-visualize.dist
• nix-web
• nix.debug (nixVersions.nix_2_24.debug)
• nix.dev (nixVersions.nix_2_24.dev)
• nix.doc (nixVersions.nix_2_24.doc)
• nix.man (nixVersions.nix_2_24.man)
• nixVersions.git
• nixVersions.git.debug
• nixVersions.git.dev
• nixVersions.git.doc
• nixVersions.git.man
• nixVersions.latest
• nixVersions.latest.debug
• nixVersions.latest.dev
• nixVersions.latest.doc
• nixVersions.latest.man
• nixVersions.minimum
• nixVersions.minimum.debug
• nixVersions.minimum.dev
• nixVersions.minimum.doc
• nixVersions.minimum.man
• nixVersions.nix_2_18
• nixVersions.nix_2_18.debug
• nixVersions.nix_2_18.dev
• nixVersions.nix_2_18.doc
• nixVersions.nix_2_18.man
• nixci
• nixd
• nixos-anywhere
• nixos-generators
• nixos-install
• nixos-option
• nixos-rebuild
• nixos-rebuild-ng
• nixos-rebuild-ng.dist
• nixos-shell
• nixpkgs-hammering
• nixpkgs-manual
• nixpkgs-review
• nixpkgs-review.dist
• nixt
• nixt.dev
• nixtract
• node2nix
• npins
• nuget-to-nix
• nurl
• nvfetcher
• outline
• prefetch-yarn-deps
• python311Packages.nix-kernel
• python311Packages.nix-kernel.dist
• python311Packages.nixpkgs
• python311Packages.nixpkgs.dist
• python311Packages.pythonix
• python312Packages.nix-kernel
• python312Packages.nix-kernel.dist
• python312Packages.nixpkgs
• python312Packages.nixpkgs.dist
• python312Packages.pythonix
• sbomnix
• sbomnix.dist
• swiftPackages.swiftpm2nix
• terranix
• typescript-language-server
• update-nix-fetchgit
• update-python-libraries
• vimPluginsUpdater
• vulnix
• vulnix.dist
• vulnix.doc
• vulnix.man
• wp4nix
• yarn2nix
• zon2nix

[alyssais]

This broke eval of busybox-sandbox-shell on musl platforms. Fix is #361265.