Age | Commit message (Collapse) | Author | Files | Lines |
|
This allows builds to call setuid binaries. This was previously
possible until we started using seccomp. Turns out that seccomp by
default disallows processes from acquiring new privileges. Generally,
any use of setuid binaries (except those created by the builder
itself) is by definition impure, but some people were relying on this
ability for certain tests.
Example:
$ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges
builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines:
cannot raise the capability into the Ambient set
: Operation not permitted
$ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges
builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms
Fixes #1429.
|
|
(cherry picked from commit c20641ce569dc1fdeaeaa147b0292f258667f53b)
|
|
(cherry picked from commit 0fb60e4e0f66cc42c7c274acfcf00b51f6c829c4)
|
|
Fix variable name typo in derivations doc
|
|
|
|
|
|
Document fetchTarball can take a sha256
|
|
|
|
Note that I refer to `nix-prefetch-url`.
|
|
|
|
Using linenoise avoids a license compatibility issue (#1356), is a lot
smaller and doesn't pull in ncurses.
|
|
|
|
fix the description of --xml and --json
|
|
Those options seem to only apply with --eval and not with --parse.
|
|
This is to simplify remote build configuration. These environment
variables predate nix.conf.
The build hook now has a sensible default (namely build-remote).
The current load is kept in the Nix state directory now.
|
|
Fix small grammar issue about page
|
|
Drop misleading ellipses
|
|
better document --meta option for nix-env
|
|
This portion of the quick start guide may lead to confusion for
newcomers to Nix. This change clarifies the example to one that can be
copied in its entirety.
|
|
|
|
|
|
|
|
|
|
Fix subject-verb agreement issue in introduction/about.
|
|
|
|
This makes all config options self-documenting.
Unknown or unparseable config settings and --option flags now cause a
warning.
|
|
Looks like this snuck into the 1.11 release notes post-release, but
float support isn't actually present until 1.12.
|
|
|
|
|
|
This allows various Store implementations to provide different ways to
get build logs. For example, BinaryCacheStore can get the build logs
from the binary cache.
Also, remove the log-servers option since we can use substituters for
this.
|
|
|
|
|
|
"build-max-jobs" and the "-j" option can now be set to "auto" to use
the number of CPUs in the system. (Unlike build-cores, it doesn't use
0 to imply auto-configuration, because a) magic values are a bad idea
in general; b) 0 is a legitimate value used to disable local
building.)
Fixes #1198.
|
|
We set build-cores automatically, not build-max-jobs. (The commit
message for de4cdd0d47adc70a4db12397a42c18ee50b4e662 also got this
wrong.)
|
|
|
|
|
|
|
|
|
|
Fixes #341
|
|
|
|
And also don't refer to f-spot, which apparently no longer exists.
Issue #1170.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The current behaviour modifies the first writeable file from amongst
.bash_profile, .bash_login and .profile. So .bash_profile (if it is
writable) would be modified even if a user has already sourced nix.sh
in, say, .profile.
This commit introduces a new environment variable,
NIX_INSTALLER_NO_MODIFY_PROFILE. If this is set during installation,
then the modifications are unconditionally skipped.
This is useful for users who have a manually curated set of dotfiles
that they are porting to a new machine. In such scenarios, nix.sh is
already sourced at a place where the user prefers. Without this
change, the nix installer would insist on modifying .bash_profile if
it exists.
This commit also add documentations for both the current behaviour and
the new override.
|
|
For example, you can now set
build-sandbox-paths = /dev/nvidiactl?
to specify that /dev/nvidiactl should only be mounted in the sandbox
if it exists in the host filesystem. This is useful e.g. for EC2
images that should support both CUDA and non-CUDA instances.
|
|
Fixes #1069.
|