haskellPackages.stack doesn't properly have network access (when run inside Docker)

[rrnewton]

Issue description

Context: we're trying out nix inside docker images, because in our environment it's easier to get access to machines with multi-user Docker installs than with multi-user nix setups.

The problem is with the "stack" executable. The observed behavior is that all stack commands fail, because when they try to reach for the network, they get an error. But other binaries that use networking work just fine. For example, I can execute wget commands within the container.

I'm not yet sure if this is a problem with stack or a problem with the base images distributed on Docker hub by the user/org "nixos". I assume these are "official" based on the name?

Steps to reproduce

Put the following text in a Dockerfile, and run docker build ..

FROM nixos/nix:1.10
RUN nix-env --version && nix-env -iA nixpkgs.gnutar
ENV NIX_PATH=nixpkgs=http://nixos.org/releases/nixpkgs/nixpkgs-16.09pre82345.3994a23/nixexprs.tar.xz
RUN nix-env -iA nixpkgs.bashInteractive
RUN nix-env -f "<nixpkgs>" -iA haskellPackages.stack

RUN which -a stack && \
    stack --version && \
    stack new hello

The output will end with:

Step 6 : RUN which -a stack &&     stack --version &&     stack new hello
 ---> Running in b192f2debb29
/root/.nix-profile/bin/stack
Version 1.0.4.3 x86_64
Downloading template "new-template" to create project "hello" in hello/ ...
FailedConnectionException2 "raw.githubusercontent.com" 443 True getProtocolByName: does not exist (no such protocol name: tcp)

Technical details

• System: It's docker, so it should be reproducible. I ran it on a RHEL 7.2 (kernel 3.10.0-327.10.1.el7.x86_64) machine and an ubuntu 14.04.4 machine (kernel 3.19.0-28-generic).
• Nix version: 1.10, determined by the docker base image
• Nixpkgs version: I've tried with various releases. The above Dockerfile points uses a recent nightly.

[puffnfresh]

This error happens when /etc/protocols doesn't exist. I've accidentally made Docker images without this file and had exactly the same problem with Haskell code.

We need to add "iana_etc" to the Docker images.

[573]

Hi @puffnfresh,
the /etc/protocols tip moved me a step forward, thanks!
When adding the --volume /etc/protocols:/etc/protocols flag to the docker run command and running nix-shell --pure -p "haskell.packages.ghc802.ghcWithPackages (pkgs: with pkgs; [stack])" inside the container I get:

[nix-shell:/]$ stack new foo
Downloading template "new-template" to create project "foo" in foo/ ...
HttpExceptionRequest Request {
host = "raw.githubusercontent.com"
port = 443
secure = True
requestHeaders = []
path = "/commercialhaskell/stack-templates/master/new-template.hsfiles"
queryString = ""
method = "GET"
proxy = Nothing
rawBody = False
redirectCount = 10
responseTimeout = ResponseTimeoutDefault
requestVersion = HTTP/1.1
}
(InternalException (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))))

What else would I have to bind in the container?

[573]

I just tried with adding --volume /etc/ssl:/etc/ssl as well which worked.

[stale]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[cdepillabout]

Sounds like this was solved by adding certs and /etc/protocols. I'll go ahead and close.