about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2008-10-29T15·34+0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2008-10-29T15·34+0000
commit709b55ee0281bc2d587dff6f60ec189b010800f6 (patch)
tree18285f86f7247c8ee638598daad8e5b5b2387f26
parentc98ea254dcb6384b686a88657fd800ad7655e4a5 (diff)
* Put the chroots under /nix/var/nix/chroots to reduce the risk of
  disasters involving `rm -rf' on bind mounts.  Will try the
  definitive fix (per-process mounts, apparently possible via the
  CLONE_NEWNS flag in clone()) some other time.

-rw-r--r--src/libmain/shared.cc1
-rw-r--r--src/libstore/build.cc17
-rw-r--r--src/libstore/globals.cc1
-rw-r--r--src/libstore/globals.hh6
4 files changed, 15 insertions, 10 deletions
diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc
index fd16dece7d44..4725d1ed1047 100644
--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -138,6 +138,7 @@ static void initAndRun(int argc, char * * argv)
     nixConfDir = canonPath(getEnv("NIX_CONF_DIR", NIX_CONF_DIR));
     nixLibexecDir = canonPath(getEnv("NIX_LIBEXEC_DIR", NIX_LIBEXEC_DIR));
     nixBinDir = canonPath(getEnv("NIX_BIN_DIR", NIX_BIN_DIR));
+    nixChrootsDir = canonPath(getEnv("NIX_CHROOTS_DIR", nixStateDir + "/chroots"));
 
     string subs = getEnv("NIX_SUBSTITUTERS", "default");
     if (subs == "default") {
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 2a8ddd491486..586e44922197 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1710,16 +1710,13 @@ void DerivationGoal::startBuilder()
         /* Create a temporary directory in which we set up the chroot
            environment using bind-mounts.
 
-           !!! Big danger here: since we're doing this in /tmp, there
-           is a risk that the admin does something like "rm -rf
-           /tmp/chroot-nix-*" to clean up aborted builds, and if some
-           of the bind-mounts are still active, then "rm -rf" will
-           happily recurse into those mount points (thereby deleting,
-           say, /nix/store).  Ideally, chrootRootDir should be created in
-           some special location (maybe in /nix/var/nix) where Nix
-           takes care of unmounting / deleting old chroots
-           automatically. */
-        chrootRootDir = createTempDir("", "chroot-nix");
+           !!! Bind mounts are potentially dangerous: if the user
+           cleans up his system by doing "rm -rf
+           /nix/var/nix/chroots/*", this will recurse into /nix/store
+           via the bind mounts (and potentially other parts of the
+           filesystem, depending on the setting of the
+           `build-chroot-dirs' option). */
+        chrootRootDir = createTempDir(nixChrootsDir, "chroot-nix");
 
         /* Clean up the chroot directory automatically, but don't
            recurse; that would be very very bad if the unmount of a
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index eaea4b707eea..7228fc19364d 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -16,6 +16,7 @@ string nixDBPath = "/UNINIT";
 string nixConfDir = "/UNINIT";
 string nixLibexecDir = "/UNINIT";
 string nixBinDir = "/UNINIT";
+string nixChrootsDir = "/UNINIT";
 
 bool keepFailed = false;
 bool keepGoing = false;
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index f650cd1b79b5..a97aa6d8b5ec 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -35,6 +35,12 @@ extern string nixLibexecDir;
 /* nixBinDir is the directory where the main programs are stored. */
 extern string nixBinDir;
 
+/* nixChrootsDir is the directory where we create chroot environments
+   (when chroot builds are enabled).  We don't put these under /tmp to
+   prevent "rm -rf /tmp" from recursing into /nix/store via the bind
+   mounts in the chroots. */
+extern string nixChrootsDir;
+
 
 /* Misc. global flags. */