about summary refs log tree commit diff
path: root/doc
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-23T14·41+0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-23T14·54+0100
commit99897f6979aa21339b80904db1717c65a9202110 (patch)
treeb189e1e30b75f4b9a1a910a17c68760d44c52a79 /doc
parent15d2d3c34e454fb7795998a3a2d73010dfbdec38 (diff)
Use chroots for all derivations
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are
now also chrooted. However, unlike normal derivations, they don't get
a private network namespace, so they can still access the
network. Also, the use of the ‘__noChroot’ derivation attribute is
no longer allowed.

Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
Diffstat (limited to 'doc')
-rw-r--r--doc/manual/command-ref/conf-file.xml36
1 files changed, 22 insertions, 14 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 91aa910a2946..cdfdc1a6e461 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -227,24 +227,32 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
   <varlistentry><term><literal>build-use-chroot</literal></term>
 
     <listitem><para>If set to <literal>true</literal>, builds will be
-    performed in a <emphasis>chroot environment</emphasis>, i.e., the
-    build will be isolated from the normal file system hierarchy and
-    will only see its dependencies in the Nix store, the temporary
-    build directory, private versions of <filename>/proc</filename>,
+    performed in a <emphasis>chroot environment</emphasis>, i.e.,
+    they’re isolated from the normal file system hierarchy and will
+    only see their dependencies in the Nix store, the temporary build
+    directory, private versions of <filename>/proc</filename>,
     <filename>/dev</filename>, <filename>/dev/shm</filename> and
     <filename>/dev/pts</filename>, and the paths configured with the
     <link linkend='conf-build-chroot-dirs'><literal>build-chroot-dirs</literal>
     option</link>. This is useful to prevent undeclared dependencies
-    on files in directories such as
-    <filename>/usr/bin</filename>.</para>
-
-    <para>The use of a chroot requires that Nix is run as root (so you
-    should use the <link linkend='conf-build-users-group'>“build
-    users” feature</link> to perform the actual builds under different
-    users than root).  Currently, chroot builds only work on Linux
-    because Nix uses “bind mounts” to make the Nix store and other
-    directories available inside the chroot. Kernel version 3.13 or later
-    is needed.</para>
+    on files in directories such as <filename>/usr/bin</filename>. In
+    addition, on Linux, builds run in rivate PID, mount, network, IPC
+    and UTS namespaces to isolate them from other processes in the
+    system (except that fixed-output derivations do not run in private
+    network namespace to ensure they can access the network).</para>
+
+    <para>Currently, chroots only work on Linux and Mac OS X. The use
+    of a chroot requires that Nix is run as root (so you should use
+    the <link linkend='conf-build-users-group'>“build users”
+    feature</link> to perform the actual builds under different users
+    than root).</para>
+
+    <para>If this option is set to <literal>relaxed</literal>, then
+    fixed-output derivations and derivations that have the
+    <varname>__noChroot</varname> attribute set to
+    <literal>true</literal> do not run in chroots.</para>
+
+    <para>The default is <literal>false</literal>.</para>
 
     </listitem>