dotnet restore failed when using nix-build, but works when under nix-shell --pure

Question

I'm trying to use nix for building dotnet (sdk 5) projects.

The configuration is something like

stdenv.mkDerivation {
# builder = "${bash}/bin/bash";
# args = [ ./builder.sh ];
name = "mypackage";
src = ./.;
HOME = "/tmp/test-home";
DOTNET_CLI_TELEMETRY_OPTOUT = 1;
nativeBuildInputs = [ nodejs ];
buildInputs = [ dotnet openssl cacert  ];
configurePhase = ''
  export HOME=$PWD/home
  runHook preConfigure
  dotnet nuget list source
  dotnet nuget locals all --list
  dotnet restore
  runHook postConfigure
'';
buildPhase = ''
  export DOTNET_CLI_TELEMETRY_OPTOUT=1
  export DOTNET_NOLOGO=1
  ${dotnet}/bin/dotnet publish ProjectDirectory --self-contained -r linux-x64 -c Release
'';
installPhase = ''
  mkdir -p $out/
'';

};

The HOME attribute in argument for stdenv.mkDerivation is for nix-shell only. Since nix-shell will inherit normal $HOME, I need to set $HOME to another empty directory to mimic behavior of build phase.

When using nix-shell and run dotnet restore manually, it works fine.
When using nix-build, build failed with following error when running dotnet restore

Registered Sources:
1. nuget.org [Enabled] https://api.nuget.org/v3/index.json http-cache: /build/PROJECTNAME/home/.local/share/NuGet/v3-cache global-packages: /build/PROJECTNAME/home/.nuget/packages/ temp: /build/NuGetScratch plugins-cache: /build/PROJECTNAME/home/.local/share/NuGet/plugins-cache Determining projects to restore... /nix/store/fvfyn01fjmawvyn7vlhhrgkzyy6321wl-dotnet-sdk-5.0.202/sdk/5.0.202/NuGet.targets(131,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/build/PROJECTNAME/PET-CT-machine-service.sln] /nix/store/fvfyn01fjmawvyn7vlhhrgkzyy6321wl-dotnet-sdk-5.0.202/sdk/5.0.202/NuGet.targets(131,5): error : Name or service not known (api.nuget.org:443) [/build/PROJECTNAME/PET-CT-machine-service.sln] /nix/store/fvfyn01fjmawvyn7vlhhrgkzyy6321wl-dotnet-sdk-5.0.202/sdk/5.0.202/NuGet.targets(131,5): error : Name or service not known [/build/tomopioneer/PET-CT-machine-service.sln]

What's the difference between nix-build and nix-shell --pure when HOME is manually set?

By reading code from github NixOS/nixpkgs repository, it seems several dotnet packages were using nuget manually and using dotnet restore with local source. Is that necessary?

I've make more tests about api.nuget.org.

running curl https://api.nuget.org/v3/index.json -v, I got:

works fine when directly run under terminal of nixos
works fine in nix-shell --pure
error in nix-build, curl: (6) Could not resolve host: api.nuget.org

Nix builds are sandboxed by default https://nixos.wiki/wiki/Nix#Sandboxing — Sebastian Ullrich, Oct 09 '21 at 11:40

score 1 · Answer 1 · answered Mar 29 '22 at 16:14

nix-shell has network access which is not allowed in the sandbox that nix-build uses without a fixed output derivation.

By reading code from github NixOS/nixpkgs repository, it seems several dotnet packages were using nuget manually and using dotnet restore with local source. Is that necessary?

With sandbox enabled yes.

dotnet restore failed when using nix-build, but works when under nix-shell --pure

1 Answers1