dotnet restore failed when using nix-build, but works when under nix-shell --pure

Question

I'm trying to use nix for building dotnet (sdk 5) projects.

The configuration is something like

stdenv.mkDerivation {
# builder = "${bash}/bin/bash";
# args = [ ./builder.sh ];
name = "mypackage";
src = ./.;
HOME = "/tmp/test-home";
DOTNET_CLI_TELEMETRY_OPTOUT = 1;
nativeBuildInputs = [ nodejs ];
buildInputs = [ dotnet openssl cacert  ];
configurePhase = ''
  export HOME=$PWD/home
  runHook preConfigure
  dotnet nuget list source
  dotnet nuget locals all --list
  dotnet restore
  runHook postConfigure
'';
buildPhase = ''
  export DOTNET_CLI_TELEMETRY_OPTOUT=1
  export DOTNET_NOLOGO=1
  ${dotnet}/bin/dotnet publish ProjectDirectory --self-contained -r linux-x64 -c Release
'';
installPhase = ''
  mkdir -p $out/
'';

};

The HOME attribute in argument for stdenv.mkDerivation is for nix-shell only. Since nix-shell will inherit normal $HOME, I need to set $HOME to another empty directory to mimic behavior of build phase.

• When using nix-shell and run dotnet restore manually, it works fine.

• When using nix-build, build failed with following error when running dotnet restore

  Registered Sources:

  1. nuget.org [Enabled] https://api.nuget.org/v3/index.json http-cache: /build/PROJECTNAME/home/.local/share/NuGet/v3-cache global-packages: /build/PROJECTNAME/home/.nuget/packages/ temp: /build/NuGetScratch plugins-cache: /build/PROJECTNAME/home/.local/share/NuGet/plugins-cache Determining projects to restore... /nix/store/fvfyn01fjmawvyn7vlhhrgkzyy6321wl-dotnet-sdk-5.0.202/sdk/5.0.202/NuGet.targets(131,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/build/PROJECTNAME/PET-CT-machine-service.sln] /nix/store/fvfyn01fjmawvyn7vlhhrgkzyy6321wl-dotnet-sdk-5.0.202/sdk/5.0.202/NuGet.targets(131,5): error : Name or service not known (api.nuget.org:443) [/build/PROJECTNAME/PET-CT-machine-service.sln] /nix/store/fvfyn01fjmawvyn7vlhhrgkzyy6321wl-dotnet-sdk-5.0.202/sdk/5.0.202/NuGet.targets(131,5): error : Name or service not known [/build/tomopioneer/PET-CT-machine-service.sln]

What's the difference between nix-build and nix-shell --pure when HOME is manually set?

By reading code from github NixOS/nixpkgs repository, it seems several dotnet packages were using nuget manually and using dotnet restore with local source. Is that necessary?

---

I've make more tests about api.nuget.org.

running curl https://api.nuget.org/v3/index.json -v, I got:

• works fine when directly run under terminal of nixos
• works fine in nix-shell --pure
• error in nix-build, curl: (6) Could not resolve host: api.nuget.org

Answer 1

nix-shell has network access which is not allowed in the sandbox that nix-build uses without a fixed output derivation.

By reading code from github NixOS/nixpkgs repository, it seems several dotnet packages were using nuget manually and using dotnet restore with local source. Is that necessary?

With sandbox enabled yes.