fix: ssh socket hygiene#522
Conversation
|
Warning Review limit reached
More reviews will be available in 50 minutes and 12 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. 📝 WalkthroughWalkthroughThe SSH master child setup now opens ChangesSSH master child file descriptor setup
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/libstore/ssh.cc (1)
270-271: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueRedirecting the SSH master's stderr to
/dev/nulldiscards all diagnostics, including-voutput.Below at Line 276
-vis appended whenverbosity >= lvlChatty, but its output now goes to/dev/null, so chatty/debug runs lose ssh master diagnostics that previously reached the inherited stderr. If the goal is only to drop references to the build hook's stdin/stderr, consider routing the master's stderr tologFD(asstartCommanddoes at Line 183) when available, falling back to/dev/nullotherwise.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/libstore/ssh.cc` around lines 270 - 271, The SSH master setup currently redirects STDERR_FILENO to /dev/null in ssh.cc, which hides useful diagnostics including the -v output added in the SSH command construction. Update the startup path around the stderr dup2 logic in the SSH master launch flow to prefer routing stderr to logFD like startCommand does, and only fall back to /dev/null when no logFD is available so chatty/debug verbosity still reaches logs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/libstore/ssh.cc`:
- Around line 270-271: The SSH master setup currently redirects STDERR_FILENO to
/dev/null in ssh.cc, which hides useful diagnostics including the -v output
added in the SSH command construction. Update the startup path around the stderr
dup2 logic in the SSH master launch flow to prefer routing stderr to logFD like
startCommand does, and only fall back to /dev/null when no logFD is available so
chatty/debug verbosity still reaches logs.
CertainLach
force-pushed
the
push-zykqmstvtxtp
branch
from
351dccb to
c537804
Compare
|
Added use of logFD when exists |
| throw SysError("duping over stdout"); | ||
| if (dup2(nullFd, STDIN_FILENO) == -1) | ||
| throw SysError("duping over stdin"); | ||
| if (dup2(logFD != -1 ? logFD : nullFd, STDERR_FILENO) == -1) |
There was a problem hiding this comment.
Not sure if we should redirect stderr to /dev/null, since that could hide useful error messages if the master ssh fails to connect.
There was a problem hiding this comment.
The problem is in my case I was seeing nix-daemon being stuck on Worker::waitForInput, where fd it waits for belongs to stderr of ssh control master
I'll try to add debug logs to understand what is happening here, but it seems that stderr should not leak to the child process here in any case
There was a problem hiding this comment.
...At least in context of remote build hook
2 participants
Motivation
I have experienced my nix builds getting stuck on reading from remote build hook, in
Worker::waitForInput(), where it polls on the socket that belongs to the ssh master process, and waits for it to be EOF, but it never is, as the command is persistent ssh master.I'm not sure if this is a symptom of a larger problem I have somewhere in my setup, but it seems that ssh master should not keep references to stdin/stderr of the remote build hook process (ssh master is only supposed to "echo started" here).
Unfortunately I'm not sure how to reproduce that.
Context
Summary by CodeRabbit