Age | Commit message (Collapse) | Author | Files | Lines |
|
There is a security issue when a build accidentally stores its $TMPDIR
in some critical place, such as an RPATH. If
TMPDIR=/tmp/nix-build-..., then any user on the system can recreate
that directory and inject libraries into the RPATH of programs
executed by other users. Since /build probably doesn't exist (or isn't
world-writable), this mitigates the issue.
|
|
This is primarily useful for extracting NARs from other stores (like
binary caches), which "nix-store --dump" cannot do.
|
|
http://hydra.nixos.org/build/52420073
|
|
|
|
http://hydra.nixos.org/build/52408843
|
|
|
|
Similar to "jq -r", this prints the evaluation result (which must be a
string value) unquoted.
|
|
http://hydra.nixos.org/build/52401151
|
|
fix the description of --xml and --json
|
|
Those options seem to only apply with --eval and not with --parse.
|
|
This only runs on Linux because it requires a diverted store (which
uses mount/user namespaces).
|
|
When "--all" is used, we should not fill in a default installable.
|
|
|
|
|
|
Also, to unify with hydra-queue-runner, allow it to be a list of
files.
|
|
Opening an SSHStore or LegacySSHStore does not actually establish a
connection, so the try/catch block here did nothing. Added a
Store::connect() method to test whether a connection can be
established.
|
|
This is useful for one-off situations where you want to specify a
builder on the command line instead of having to mess with
nix.machines. E.g.
$ nix-build -A hello --argstr system x86_64-darwin \
--option builders 'root@macstadium1 x86_64-darwin'
will perform the specified build on "macstadium1".
It also removes the need for a separate nix.machines file since you
can specify builders in nix.conf directly. (In fact nix.machines is
yet another hack that predates the general nix.conf configuration
file, IIRC.)
Note: this option is supported by the daemon for trusted users. The
fact that this allows trusted users to specify paths to SSH keys to
which they don't normally have access is maybe a bit too much trust...
|
|
This allows hydra-queue-runner to use it.
|
|
|
|
|
|
The build hook mechanism expects build log output to go to file
descriptor 4, so do that.
|
|
This restores the old behaviour.
|
|
For backwards compatibility, if the URI is just a hostname, ssh://
(i.e. LegacySSHStore) is prepended automatically.
Also, all fields except the URI are now optional. For example, this is
a valid nix.machines file:
local?root=/tmp/nix
This is useful for testing the remote build machinery since you don't
have to mess around with ssh.
|
|
|
|
This makes LegacySSHStore usable by build-remote and
hydra-queue-runner.
|
|
|
|
This is to simplify remote build configuration. These environment
variables predate nix.conf.
The build hook now has a sensible default (namely build-remote).
The current load is kept in the Nix state directory now.
|
|
Since build-remote uses buildDerivation() now, we don't need to copy
the .drv file anymore. This greatly reduces the set of input paths
copied to the remote side (e.g. from 392 to 51 store paths for GNU
hello on x86_64-darwin).
|
|
|
|
Fixes #1357.
|
|
This default implementation of buildPaths() does nothing if all
requested paths are already valid, and throws an "unsupported
operation" error otherwise. This fixes a regression introduced by
c30330df6f67c81986dfb124631bc756c8e58c0d in binary cache and legacy
SSH stores.
|
|
nix-daemon.service: fix startup
|
|
|
|
With catch-all rules, we hide potential errors.
It turns out that a4744254 made one cath-all useless. Flex detected that
is was impossible to reach.
The other is more subtle, as it can only trigger on unfinished escapes
in unfinished strings, which only occurs at EOF.
|
|
|
|
Otherwise starting nix-daemon fails
● nix-daemon.service - Nix Daemon
Loaded: loaded
(/nix/store/mnf00a6gc55xl47smk0b32gmi7xpvlfp-nix-1.12pre5308_2f21d522/lib/systemd/system/nix-daemon.service;
enabled; vendor preset: enabled)
Drop-In:
/nix/store/m2rgjp71n4kyp8j5fxgbrlv13scd5vvv-system-units/nix-daemon.service.d
└─overrides.conf
Active: failed (Result: exit-code) since Sat 2017-04-29 11:29:21
CEST; 9s ago
Process: 7299 ExecStart=nix-daemon --daemon (code=exited, status=1/FAILURE)
Main PID: 7299 (code=exited, status=1/FAILURE)
CPU: 19ms
... systemd[1]: Started Nix Daemon.
... nix-daemon[7299]: error: $XDG_CONFIG_HOME and $HOME are not set
... systemd[1]: nix-daemon.service: Main process exited, code=exited, status=1/FAILURE
... systemd[1]: nix-daemon.service: Unit entered failed state.
... systemd[1]: nix-daemon.service: Failed with result 'exit-code'.
... systemd[1]: nix-daemon.service: Start request repeated too quickly.
... systemd[1]: Failed to start Nix Daemon.
... systemd[1]: nix-daemon.service: Failed with result 'exit-code'.
|
|
http://hydra.nixos.org/build/52080911
|
|
|
|
|
|
|
|
This caused "nix-store --import" to compute an incorrect hash on NARs
that don't fit in an unsigned int. The import would succeed, but
"nix-store --verify-path" or subsequent exports would detect an
incorrect hash.
A deeper issue is that the export/import format does not contain a
hash, so we can't detect such issues early.
Also, I learned that -Wall does not warn about this.
|
|
Add Store nesting to fix import-from-derivation within filterSource
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|