diff options
| -rw-r--r-- | Makefile.config.in | 2 | ||||
| -rw-r--r-- | doc/manual/command-ref/conf-file.xml | 46 | ||||
| -rw-r--r-- | doc/manual/release-notes/release-notes.xml | 1 | ||||
| -rw-r--r-- | doc/manual/release-notes/rl-1.11.xml | 23 | ||||
| -rw-r--r-- | doc/manual/release-notes/rl-1.8.xml | 2 | ||||
| -rw-r--r-- | mk/lib.mk | 4 | ||||
| -rw-r--r-- | nix.spec.in | 1 | ||||
| -rw-r--r-- | release.nix | 10 | ||||
| -rw-r--r-- | scripts/download-from-binary-cache.pl.in | 2 | ||||
| -rw-r--r-- | src/libexpr/local.mk | 5 | ||||
| -rw-r--r-- | src/libstore/build.cc | 26 | ||||
| -rw-r--r-- | src/libstore/local.mk | 2 | ||||
| -rw-r--r-- | src/nix-daemon/nix-daemon.cc | 4 | ||||
| -rw-r--r-- | src/nix-env/nix-env.cc | 12 |
14 files changed, 98 insertions, 42 deletions
diff --git a/Makefile.config.in b/Makefile.config.in index df18e9336d1f..f0de4da37855 100644 --- a/Makefile.config.in +++ b/Makefile.config.in @@ -4,10 +4,12 @@ CFLAGS = @CFLAGS@ CXX = @CXX@ CXXFLAGS = @CXXFLAGS@ HAVE_SODIUM = @HAVE_SODIUM@ +LIBCURL_LIBS = @LIBCURL_LIBS@ OPENSSL_LIBS = @OPENSSL_LIBS@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ SODIUM_LIBS = @SODIUM_LIBS@ +SQLITE3_LIBS = @SQLITE3_LIBS@ bash = @bash@ bindir = @bindir@ bsddiff_compat_include = @bsddiff_compat_include@ diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 71a34950901c..daaf00ac3905 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -224,16 +224,16 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> </varlistentry> - <varlistentry><term><literal>build-use-chroot</literal></term> + <varlistentry><term><literal>build-use-sandbox</literal></term> <listitem><para>If set to <literal>true</literal>, builds will be - performed in a <emphasis>chroot environment</emphasis>, i.e., + performed in a <emphasis>sandboxed environment</emphasis>, i.e., they’re isolated from the normal file system hierarchy and will only see their dependencies in the Nix store, the temporary build directory, private versions of <filename>/proc</filename>, <filename>/dev</filename>, <filename>/dev/shm</filename> and - <filename>/dev/pts</filename>, and the paths configured with the - <link linkend='conf-build-chroot-dirs'><literal>build-chroot-dirs</literal> + <filename>/dev/pts</filename> (on Linux), and the paths configured with the + <link linkend='conf-build-sandbox-paths'><literal>build-sandbox-paths</literal> option</link>. This is useful to prevent undeclared dependencies on files in directories such as <filename>/usr/bin</filename>. In addition, on Linux, builds run in private PID, mount, network, IPC @@ -241,8 +241,8 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> system (except that fixed-output derivations do not run in private network namespace to ensure they can access the network).</para> - <para>Currently, chroots only work on Linux and Mac OS X. The use - of a chroot requires that Nix is run as root (so you should use + <para>Currently, sandboxing only work on Linux and Mac OS X. The use + of a sandbox requires that Nix is run as root (so you should use the <link linkend='conf-build-users-group'>“build users” feature</link> to perform the actual builds under different users than root).</para> @@ -250,7 +250,7 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> <para>If this option is set to <literal>relaxed</literal>, then fixed-output derivations and derivations that have the <varname>__noChroot</varname> attribute set to - <literal>true</literal> do not run in chroots.</para> + <literal>true</literal> do not run in sandboxes.</para> <para>The default is <literal>false</literal>.</para> @@ -259,17 +259,16 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> </varlistentry> - <varlistentry xml:id="conf-build-chroot-dirs"><term><literal>build-chroot-dirs</literal></term> + <varlistentry xml:id="conf-build-sandbox-paths"> + <term><literal>build-sandbox-paths</literal></term> - <listitem><para>A list of paths bind-mounted into Nix chroot - environments. Contrary to what the name suggests, the specified - paths do not have to be directories; you can bind-mount other - types of files as well. You can use the syntax + <listitem><para>A list of paths bind-mounted into Nix sandbox + environments. You can use the syntax <literal><replaceable>target</replaceable>=<replaceable>source</replaceable></literal> - to mount a path in a different location in the chroot; for + to mount a path in a different location in the sandbox; for instance, <literal>/bin=/nix-bin</literal> will mount the path <literal>/nix-bin</literal> as <literal>/bin</literal> inside the - chroot.</para> + sandbox.</para> <para>Depending on how Nix was built, the default value for this option may be empty or provide <filename>/bin/sh</filename> as a @@ -278,10 +277,11 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> </varlistentry> - <varlistentry xml:id="conf-build-extra-chroot-dirs"><term><literal>build-extra-chroot-dirs</literal></term> + <varlistentry xml:id="conf-build-extra-sandbox-paths"> + <term><literal>build-extra-sandbox-paths</literal></term> <listitem><para>A list of additional paths appended to - <option>build-chroot-dirs</option>. Useful if you want to extend + <option>build-sandbox-paths</option>. Useful if you want to extend its default value.</para></listitem> </varlistentry> @@ -426,7 +426,7 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> <listitem><para>The maximum number of parallel HTTP connections used by the binary cache substituter to get NAR info files. This number should be high to minimise latency. It defaults to - 150.</para></listitem> + 25.</para></listitem> </varlistentry> @@ -593,19 +593,21 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para> between different versions of the same system to be hard-coded into nix. </para> - <para>The hook is passed the derivation path and, if chroots are enabled, - the chroot directory. It can then modify the chroot and send a series of + <para>The hook is passed the derivation path and, if sandboxes are enabled, + the sandbox directory. It can then modify the sandbox and send a series of commands to modify various settings to stdout. The currently recognized commands are:</para> <variablelist> - <varlistentry xml:id="extra-chroot-dirs"><term><literal>extra-chroot-dirs</literal></term> + <varlistentry xml:id="extra-sandbox-paths"> + <term><literal>extra-sandbox-paths</literal></term> <listitem> <para>Pass a list of files and directories to be included in the - chroot for this build. One entry per line, terminated by an empty - line. Entries have the same format as build-chroot-dirs.</para> + sandbox for this build. One entry per line, terminated by an empty + line. Entries have the same format as + <literal>build-sandbox-paths</literal>.</para> </listitem> diff --git a/doc/manual/release-notes/release-notes.xml b/doc/manual/release-notes/release-notes.xml index 4ea57c99c3a4..0aa3e8717aa1 100644 --- a/doc/manual/release-notes/release-notes.xml +++ b/doc/manual/release-notes/release-notes.xml @@ -12,6 +12,7 @@ </partintro> --> +<xi:include href="rl-1.11.xml" /> <xi:include href="rl-1.10.xml" /> <xi:include href="rl-1.9.xml" /> <xi:include href="rl-1.8.xml" /> diff --git a/doc/manual/release-notes/rl-1.11.xml b/doc/manual/release-notes/rl-1.11.xml new file mode 100644 index 000000000000..aa9a3e101835 --- /dev/null +++ b/doc/manual/release-notes/rl-1.11.xml @@ -0,0 +1,23 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="ssec-relnotes-1.11"> + +<title>Release 1.11 (TODO: date, 2015)</title> + +<para>TODO: This is primarily a bug fix release. It also has a number of new +features:</para> + +<itemizedlist> + <listitem> + <para>All "chroot"-containing strings got renamed to "sandbox". + In particular, some nix options got renamed, but the old names + are still accepted as lower-priority aliases. + </para> + </listitem> +</itemizedlist> + +<para>This release has contributions from TODO.</para> + +</section> diff --git a/doc/manual/release-notes/rl-1.8.xml b/doc/manual/release-notes/rl-1.8.xml index e551ee06055f..b7acc1773baa 100644 --- a/doc/manual/release-notes/rl-1.8.xml +++ b/doc/manual/release-notes/rl-1.8.xml @@ -60,7 +60,7 @@ $ nix-store -l $(which xterm) <listitem><para><command>nix-copy-closure</command> now uses <command>nix-store --serve</command> on the remote side to send or receive closures. This fixes a race condition between - <command>nix-copy-closureE</command> and the garbage + <command>nix-copy-closure</command> and the garbage collector.</para></listitem> <listitem><para>Derivations can specify the new special attribute diff --git a/mk/lib.mk b/mk/lib.mk index 4ad5c636c8d4..bb82801d3b4e 100644 --- a/mk/lib.mk +++ b/mk/lib.mk @@ -61,7 +61,9 @@ ifeq ($(BUILD_SHARED_LIBS), 1) endif ifneq ($(OS), Darwin) ifneq ($(OS), SunOS) - GLOBAL_LDFLAGS += -Wl,--no-copy-dt-needed-entries + ifneq ($(OS), FreeBSD) + GLOBAL_LDFLAGS += -Wl,--no-copy-dt-needed-entries + endif endif endif SET_RPATH_TO_LIBS ?= 1 diff --git a/nix.spec.in b/nix.spec.in index 4dbfdfa09bc0..5fc34e1a0561 100644 --- a/nix.spec.in +++ b/nix.spec.in @@ -26,6 +26,7 @@ Requires: gzip Requires: xz BuildRequires: bzip2-devel BuildRequires: sqlite-devel +BuildRequires: libcurl-devel # Hack to make that shitty RPM scanning hack shut up. Provides: perl(Nix::SSH) diff --git a/release.nix b/release.nix index 0ee75e9a8b76..adf87f68ada3 100644 --- a/release.nix +++ b/release.nix @@ -97,10 +97,6 @@ let enableParallelBuilding = true; - sandboxProfile = lib.sandbox.allowFileRead [ - "/etc" "/etc/nix/nix.conf" "/private/etc/nix/nix.conf" - ]; - makeFlags = "profiledir=$(out)/etc/profile.d"; preBuild = "unset NIX_INDENT_MAKE"; @@ -285,7 +281,7 @@ let src = jobs.tarball; diskImage = (diskImageFun vmTools.diskImageFuns) { extraPackages = - [ "perl-DBD-SQLite" "perl-devel" "sqlite" "sqlite-devel" "bzip2-devel" "emacs" "perl-WWW-Curl" "libcurl-devel" ] + [ "perl-DBD-SQLite" "perl-devel" "sqlite" "sqlite-devel" "bzip2-devel" "emacs" "perl-WWW-Curl" "libcurl-devel" "openssl-devel" "xz-devel" ] ++ extraPackages; }; memSize = 1024; meta.schedulingPriority = 50; @@ -306,13 +302,13 @@ let src = jobs.tarball; diskImage = (diskImageFun vmTools.diskImageFuns) { extraPackages = - [ "libdbd-sqlite3-perl" "libsqlite3-dev" "libbz2-dev" "libwww-curl-perl" "libcurl-dev" ] + [ "libdbd-sqlite3-perl" "libsqlite3-dev" "libbz2-dev" "libwww-curl-perl" "libcurl-dev" "libssl-dev" "liblzma-dev" ] ++ extraPackages; }; memSize = 1024; meta.schedulingPriority = 50; configureFlags = "--sysconfdir=/etc"; debRequires = - [ "curl" "libdbd-sqlite3-perl" "libsqlite3-0" "libbz2-1.0" "bzip2" "xz-utils" "libwww-curl-perl" ] + [ "curl" "libdbd-sqlite3-perl" "libsqlite3-0" "libbz2-1.0" "bzip2" "xz-utils" "libwww-curl-perl" "libssl1.0.0" "liblzma5" ] ++ lib.optionals (lib.elem "libsodium-dev" extraPackages) [ "libsodium13" ] ; debMaintainer = "Eelco Dolstra <eelco.dolstra@logicblox.com>"; doInstallCheck = true; diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index ea053bf14da4..60f7f9aef3d2 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -21,7 +21,7 @@ Nix::Config::readConfig; my @caches; my $gotCaches = 0; -my $maxParallelRequests = int($Nix::Config::config{"binary-caches-parallel-connections"} // 150); +my $maxParallelRequests = int($Nix::Config::config{"binary-caches-parallel-connections"} // 25); $maxParallelRequests = 1 if $maxParallelRequests < 1; my $ttlNegative = 24 * 3600; # when to purge negative lookups from the database diff --git a/src/libexpr/local.mk b/src/libexpr/local.mk index d1b1987fb037..5de9ccc6d011 100644 --- a/src/libexpr/local.mk +++ b/src/libexpr/local.mk @@ -10,7 +10,10 @@ libexpr_CXXFLAGS := -Wno-deprecated-register libexpr_LIBS = libutil libstore libformat -libexpr_LDFLAGS = -ldl +libexpr_LDFLAGS = +ifneq ($(OS), FreeBSD) + libexpr_LDFLAGS += -ldl +endif # The dependency on libgc must be propagated (i.e. meaning that # programs/libraries that use libexpr must explicitly pass -lgc), diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 81ef701b0c13..e1ccb1eaf136 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1275,6 +1275,9 @@ static bool canBuildLocally(const BasicDerivation & drv) #if __linux__ || (drv.platform == "i686-linux" && settings.thisSystem == "x86_64-linux") || (drv.platform == "armv6l-linux" && settings.thisSystem == "armv7l-linux") +#elif __FreeBSD__ + || (drv.platform == "i686-linux" && settings.thisSystem == "x86_64-freebsd") + || (drv.platform == "i686-linux" && settings.thisSystem == "i686-freebsd") #endif ; } @@ -1878,12 +1881,14 @@ void DerivationGoal::startBuilder() work properly. Purity checking for fixed-output derivations is somewhat pointless anyway. */ { - string x = settings.get("build-use-chroot", string("false")); + string x = settings.get("build-use-sandbox", + /* deprecated alias */ + settings.get("build-use-chroot", string("false"))); if (x != "true" && x != "false" && x != "relaxed") - throw Error("option ‘build-use-chroot’ must be set to one of ‘true’, ‘false’ or ‘relaxed’"); + throw Error("option ‘build-use-sandbox’ must be set to one of ‘true’, ‘false’ or ‘relaxed’"); if (x == "true") { if (get(drv->env, "__noChroot") == "1") - throw Error(format("derivation ‘%1%’ has ‘__noChroot’ set, but that's not allowed when ‘build-use-chroot’ is ‘true’") % drvPath); + throw Error(format("derivation ‘%1%’ has ‘__noChroot’ set, but that's not allowed when ‘build-use-sandbox’ is ‘true’") % drvPath); useChroot = true; } else if (x == "false") @@ -1902,8 +1907,13 @@ void DerivationGoal::startBuilder() /* Allow a user-configurable set of directories from the host file system. */ - PathSet dirs = tokenizeString<StringSet>(settings.get("build-chroot-dirs", defaultChrootDirs)); - PathSet dirs2 = tokenizeString<StringSet>(settings.get("build-extra-chroot-dirs", string(""))); + PathSet dirs = tokenizeString<StringSet>( + settings.get("build-sandbox-paths", + /* deprecated alias with lower priority */ + settings.get("build-chroot-dirs", defaultChrootDirs))); + PathSet dirs2 = tokenizeString<StringSet>( + settings.get("build-extra-chroot-dirs", + settings.get("build-extra-sandbox-paths", string("")))); dirs.insert(dirs2.begin(), dirs2.end()); dirsInChroot.clear(); @@ -2051,7 +2061,7 @@ void DerivationGoal::startBuilder() /* We don't really have any parent prep work to do (yet?) All work happens in the child, instead. */ #else - throw Error("chroot builds are not supported on this platform"); + throw Error("sandboxing builds is not supported on this platform"); #endif } @@ -2100,7 +2110,7 @@ void DerivationGoal::startBuilder() auto line = std::string{lines, lastPos, nlPos - lastPos}; lastPos = nlPos + 1; if (state == stBegin) { - if (line == "extra-chroot-dirs") { + if (line == "extra-sandbox-paths" || line == "extra-chroot-dirs") { state = stExtraChrootDirs; } else { throw Error(format("unknown pre-build hook command ‘%1%’") @@ -2642,7 +2652,7 @@ void DerivationGoal::registerOutputs() replaceValidPath(path, actualPath); else if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output ‘%1%’ from the chroot to the Nix store") % path); + throw SysError(format("moving build output ‘%1%’ from the sandbox to the Nix store") % path); } if (buildMode != bmCheck) actualPath = path; } else { diff --git a/src/libstore/local.mk b/src/libstore/local.mk index f10981ad444c..e78f47949ad3 100644 --- a/src/libstore/local.mk +++ b/src/libstore/local.mk @@ -8,7 +8,7 @@ libstore_SOURCES := $(wildcard $(d)/*.cc) libstore_LIBS = libutil libformat -libstore_LDFLAGS = -lsqlite3 -lbz2 -lcurl +libstore_LDFLAGS = $(SQLITE3_LIBS) -lbz2 $(LIBCURL_LIBS) ifeq ($(OS), SunOS) libstore_LDFLAGS += -lsocket diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc index b4d1401d95cf..e97d1dab17b2 100644 --- a/src/nix-daemon/nix-daemon.cc +++ b/src/nix-daemon/nix-daemon.cc @@ -692,6 +692,10 @@ static PeerInfo getPeerInfo(int remote) #elif defined(LOCAL_PEERCRED) +#if !defined(SOL_LOCAL) +#define SOL_LOCAL 0 +#endif + xucred cred; socklen_t credLen = sizeof(cred); if (getsockopt(remote, SOL_LOCAL, LOCAL_PEERCRED, &cred, &credLen) == -1) diff --git a/src/nix-env/nix-env.cc b/src/nix-env/nix-env.cc index 313f8a8a8f35..02a9f25a7a4e 100644 --- a/src/nix-env/nix-env.cc +++ b/src/nix-env/nix-env.cc @@ -1140,7 +1140,19 @@ static void opQuery(Globals & globals, Strings opFlags, Strings opArgs) attrs3["value"] = v->listElems()[j]->string.s; xml.writeEmptyElement("string", attrs3); } + } else if (v->type == tAttrs) { + attrs2["type"] = "strings"; + XMLOpenElement m(xml, "meta", attrs2); + Bindings & attrs = *v->attrs; + for (auto &i : attrs) { + Attr & a(*attrs.find(i.name)); + if(a.value->type != tString) continue; + XMLAttrs attrs3; + attrs3["type"] = i.name; + attrs3["value"] = a.value->string.s; + xml.writeEmptyElement("string", attrs3); } + } } } } |