Derive nix profile from the generated flake

[savil]

Summary

This PR seeks to unify our nix print-dev-env and nix profile steps. Other benefits:

1. It will enable us to remove some hacks (example, this one introduced for glibc-patch)
2. Re-enable some testscripts that were disabled (example, this one for php extension removal)

Previously, these would be two separate processes: we'd manually do nix profile install.
Now, we get the buildInputPaths from nix print-dev-env and install those, so the nix profile is derived from the flake.

Some highlights of code movements/changes:

1. Adds devbox.syncNixProfile. Initially copied from [wip/poc] impl: use flake for profile packages #1588, and then modified quite a bit.
2. Move devpkg.storePathParts to nix.StorePathParts so it can be called from syncFlakeToProfile
3. Needed to modify nixprofile.ProfileInstall to work on Installables rather than package-names, so it can install /nix/store/<hash>-<pkg> buildPaths from the flake.
4. Moved validatePackages from nixprofile.ProfileInstall to ensureStateIsUpToDate, since we must run it prior to computeEnv that evaluates nix print-dev-env.
5. Added devbox.installNixPackagesToStore so that packages are locally installed in nix store when adding or removing or updating, and not in devbox-environment.

Behavior change:
This PR leads to more computeEnv calls that do nix print-dev-env in our Examples tests. The reason is that devbox add/rm/update will always invalidate the local.lock cache, leading to subsequent operations like devbox run/shell/shellenv to invoke computeEnv. Do note that this is more correct than before where the nix print-dev-env cache would be stale for devbox add/rm/update when not in a devbox environment.

It led to some Examples testscripts failing for nix 2.17.0 due to errors like https://gist.github.com/savil/03ae7f4e55c0796a60bdf0cfae588fac. It appears this was an issue with nix that was fixed, affecting nix operations that happen in parallel, which affects our cicd tests.

The issue was fixed in August 2023, so it doesn't fail for nix 2.19. It also doesn't fail for nix 2.12, so perhaps it was an issue introduced in between.

For now, I've dropped 2.17 from the nix versions that we run the cli-tests on. I think this is okay, since we still test with nix 2.12 and 2.19.

How was it tested?

1. Automated tests should pass.
2. Did devbox add and devbox rm with hello and cowsay and also with the process-compose flake.
3. devbox add glibcLocales prints the correct error message and suggestion to use --exclude-platform. And then verified that devbox add glibcLocales --exclude-platform x86_64-darwin works as expected.

is there some edge case I may be missing?

[savil]

Current dependencies on/for this PR:

• main
  • PR [StorePathParts] move to nix package #1722
    • PR Derive nix profile from the generated flake #1692 👈

This stack of pull requests is managed by Graphite.

[savil]

fails with:

--- FAIL: TestScripts (0.05s)
    --- FAIL: TestScripts/php.test (319.64s)
        testscript.go:534: > exec devbox run php index.php
            [stderr]
            Ensuring packages are installed.
            Error: error running script "php" in Devbox: Command: /nix/var/nix/profiles/default/bin/nix print-dev-env $WORK/.devbox/gen/flake --extra-experimental-features ca-derivations --option experimental-features nix-command flakes fetch-closure --json: exit status 1

            Error: There was an internal error. Run with DEVBOX_DEBUG=1 for a detailed error message, and consider reporting it at https://github.com/jetpack-io/devbox/issues
            program not built with -cover
            [exit status 1]
            FAIL: languages/php.test.txt:1: unexpected command failure

    --- FAIL: TestScripts/unfree.test (353.82s)
        testscript.go:534: # Test ensures that we can add and remove "unfree" nix packages (1.499s)
            # we could test with slack and/or vscode. Using slack since it is lighter. (352.309s)
            > exec devbox add slack
            [stdout]
            Running /nix/var/nix/profiles/default/bin/nix eval --json $WORK/.devbox/gen/flake#devShells.x86_64-darwin.default.buildInputs --extra-experimental-features ca-derivations --option experimental-features nix-command flakes fetch-closure
            [stderr]
            Ensuring nixpkgs registry is downloaded.
            Downloaded 'github:NixOS/nixpkgs/fd04bea4cbf76f86f244b9e2549fca066db8ddff' to '/nix/store/pfixw35k0jwhz6mrhd6jw0vlppjjkamg-source' (hash 'sha256-imn+/Rj+bqagOSm7GmRDbrqkxtc7QnjY3Cu85gv46BU=').
            Ensuring nixpkgs registry is downloaded: Success
            Info: Adding package "slack@latest" to devbox.json
            program not built with -cover
            > stderr 'Installing package: slack.'
            FAIL: packages/unfree.test.txt:7: no match for `Installing package: slack.` found in stderr

FAIL
coverage: [no statements]
FAIL	go.jetpack.io/devbox/testscripts	438.322s
FAIL
Error: error running script "test" in Devbox: exit status 1

[savil]

Made some progress.

The unfree testscript needed a update for which output to look for. So fixed.

The php-testscript was failing due to nix profile install adding multiple buildInputs for the same package (in this case, composer is added by both the php plugin and as a devbox package). Made a change to reuse our current approach of setting --priority in the nix profile install.

So, this is very much usable. However, I feel there are some UX fixes to be made:

1. We'll need to prefetch nixpkgs for when we are going to download them. This allows us to show a nicer message than when the flake.nix downloads them as a side-effect of being evaluated.
2. devbox rm <pkg> needs UX improvement to print some nice messages. The current messages have gotten dropped.
3. Adding a package to the nix profile currently displays the /nix/store path as in:

[1/1] /nix/store/c9mw21jbrpprfd8vh735zvangxmh7j5a-cowsay-3.7.0
[1/1] /nix/store/c9mw21jbrpprfd8vh735zvangxmh7j5a-cowsay-3.7.0: Success

We should parse the package name and version from this path, and display just that.

But this seems pretty doable and should simplify our logic quite a bit.

[savil]

Currently, running into this CICD error:

       2024/01/03 01:37:52 running command: /nix/var/nix/profiles/default/bin/nix profile install --profile $WORK/.devbox/nix/profile/default --impure --priority 8 /nix/store/cyqwmgbir56zsn600z0sgnvdribnfgpj-process-compose-0.40.2 --extra-experimental-features ca-derivations --option experimental-features nix-command flakes fetch-closure
        don't know how to build these paths:
          /nix/store/cyqwmgbir56zsn600z0sgnvdribnfgpj-process-compose-0.40.2
        error: path '/nix/store/cyqwmgbir56zsn600z0sgnvdribnfgpj-process-compose-0.40.2' is required, but there is no substituter that can build it

[savil]

@mikeland73 @gcurtis PTAL. I think i've addressed the perf concern.

For the scenario we were concerned about (devbox add/rm/update not in a devbox environment) I now skip computeEnv and syncNixProfile entirely, and install into nix store via nix build. We then do the rest of the operations and delete the local.lock file (simplest way to "mark it dirty"), so that the next time we do ensureStateIsUpToDate(mode=ensure) it will recompute the env and syncNixProfile.

This PR is getting rather large. Let me know if you'd like me to split it up.

[savil]

Actually, this should get moved to the else clause below (where we skip computeEnv and syncNixProfile)

[mikeland73]

I would really prefer not adding these. The complexity rule forces us to structure our code instead of just growing a function indefinitely.

I already once spent some time cleaning this function up to remove this, so unless we decide to turn this off, it's just shifting the work to a future developer.

[savil]

Ah yeah, some context:

1. I wanted to see if the code would pass all cicd tests, and didn't want to do big refactoring before getting that information.
2. I like this linter too, but its a bit vague about how its rules work. How does it decide what is complex? How do i refactor my code?
3. I then didn't invest time in removing this, since I was awaiting feedback on the general approach from you and Greg.

[mikeland73]

defer logic for non clean up tasks makes code much harder to debug. Instead I would suggest just leaving local cache dirty. I'll add more details in other comments.

[mikeland73]

Why do we need to validate and also install nix packages to store? Can't we just install nix packages above? (where you area validating?)

[savil]

Since we may be installing plugins, I thought it should come after the plugin manager create, and remove plugin invalid symlinks.

Will see if I can combine validatePackagesToBeInstalled with nix build and move that below the pluginmanager setup functions.

[mikeland73]

I feel like everything here should be part of syncNixProfile

[mikeland73]

what are substituters? and are we ok disabling them?

[mikeland73]

This make sense for ensure cases, but not for add/remove cases. In that case we just run nix build which will presumably fail if a package is not valid.

[savil]

will see if that may work

[mikeland73]

Can we just make this exported instead?

[savil]

since everything in this struct is private and controlled, will prefer leaving it this way

[mikeland73]

Do we need the offline option if we use nix build instead of profile install for individual packages? In that case I think offline is always true.

[savil]

nix build has its own --offline flag.

We do need the --offline flag for the reasons I've explained elsewhere

[mikeland73]

I think the logic an flow of this function can be improved (and maybe that can help split PRs) to make this lower risk. Proposal:

• Split lockfile.Save() into lockfile.Save() and lock.UpdateAndSaveStateHash(). This should actually live in different packages, but baby steps. The first function saves the lockfile, the other only deals with the hash file.
• define mode == ensure || d.IsEnvEnabled() as recomputeLocalState
• if !recomputeLocalState then we only add and build packages, or remove.
• if recomputeLocalState we syncFlake.
• if recomputeLocalState we call lock.UpdateAndSaveStateHash()
• we always save lockfile at the end.

In terms of splitting PRs we could split out the lockfile functions and do that first. Followed by most of the rest

[savil]

the lockfile.save function is:

func (f *File) Save() error {
	if err := cuecfg.WriteFile(lockFilePath(f.devboxProject), f); err != nil {
		return err
	}
	return updateLocal(f.devboxProject)
}

splitting this is a pretty small change. Here I'll do it in this comment itself:

func (f *File) Save() error {
	return cuecfg.WriteFile(lockFilePath(f.devboxProject), f)
}
func (f *File) UpdateAndSaveStateHash() error {
	return updateLocal(f.devboxProject)
}

It feels a bit unnecessary to make a separate PR just for this...

[savil]

I do like the overall breakdown of the logic you present. Let me refactor into that.

[savil]

re-written in #1724 and the PR stack below that.