about summary refs log tree commit diff
path: root/scripts
AgeCommit message (Collapse)AuthorFilesLines
2014-01-15 nix-profile.sh: Add the Nixpkgs channel to $NIX_PATHEelco Dolstra1-1/+6
2014-01-13 nix-shell: Don't set NIX_INDENT_MAKEEelco Dolstra1-0/+1
It generally is not useful in interactive environments (and messes up some non-ANSI-compliant terminals).
2014-01-13 nix-shell: Set $IN_NIX_SHELL before evaluatingEelco Dolstra1-2/+2
2014-01-08 Support cryptographically signed binary cachesEelco Dolstra2-7/+35
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
2014-01-06 Revert "nix-shell: Set $IN_NIX_SHELL before evaluation"Eelco Dolstra1-2/+2
This reverts commit 0c1198cf08576f16633b2344dc6513cefb567cfc.
2013-12-30 nix-shell --pure: Don't clear IN_NIX_SHELLShea Levy1-1/+1
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-12-20 Revert "Scan /proc/<pid>/cmdline for GC roots"Eelco Dolstra1-8/+4
This reverts commit 194e3374b89b8b2dec6296923877304bdb5c6ae2. Checking the command line for GC roots means that $ nix-store --delete $path will fail because $path is now a root because it's mentioned on the command line.
2013-12-20 Scan /proc/<pid>/cmdline for GC rootsEelco Dolstra1-4/+8
2013-12-20 nix-shell: Don't warn about the lack of a GC rootEelco Dolstra1-1/+1
2013-12-20 nix-shell: Set $IN_NIX_SHELL before evaluationEelco Dolstra1-2/+2
This has some hacky applications.
2013-12-20 nix-shell: Handle --option correctlyEelco Dolstra1-1/+1
Fixes #181.
2013-12-17 nix-shell --pure: Keep $TERMEelco Dolstra1-1/+1
2013-10-24 Fix segfault on DarwinEelco Dolstra1-0/+1
Ever since SQLite in Nixpkgs was updated to 3.8.0.2, Nix has randomly segfaulted on Darwin: http://hydra.nixos.org/build/6175515 http://hydra.nixos.org/build/6611038 It turns out that this is because the binary cache substituter somehow ends up loading two versions of SQLite: the one in Nixpkgs and the other from /usr/lib/libsqlite3.dylib. It's not exactly clear why the latter is loaded, but it appears to be because WWW::Curl indirectly loads /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation, which in turn seems to load /usr/lib/libsqlite3.dylib. This leads to a segfault when Perl exits: #0 0x00000001010375f4 in sqlite3_finalize () #1 0x000000010125806e in sqlite_st_destroy () #2 0x000000010124bc30 in XS_DBD__SQLite__st_DESTROY () #3 0x00000001001c8155 in XS_DBI_dispatch () ... #14 0x0000000100023224 in perl_destruct () #15 0x0000000100000d6a in main () ... The workaround is to explicitly load DBD::SQLite before WWW::Curl.
2013-10-18 Don't set $PS1 in non-interactive shellsEelco Dolstra1-1/+1
Shouldn't really matter, but you never know.
2013-10-18 nix-shell: Play nicely with non-interactive shellsShea Levy1-1/+3
nix-shell with the --command flag might be used non-interactively, but if bash starts non-interactively (i.e. with stdin or stderr not a terminal), it won't source the script given in --rcfile. However, in that case it *will* source the script found in $BASH_ENV, so we can use that instead. Also, don't source ~/.bashrc in a non-interactive shell (detectable by checking the PS1 env var) Signed-off-by: Shea Levy <shea@shealevy.com>
2013-10-14 nix-shell: Fix bash completionEelco Dolstra1-0/+1
Nixpkgs's stdenv setup script sets the "nullglob" option, but doing so breaks Bash completion on NixOS (when ‘programs.bash.enableCompletion’ is set) and on Ubuntu. So clear that flag afterwards. Of course, this may break stdenv functions in subtle ways...
2013-09-18 build-remote.pl: Don't use substituters on the remoteEelco Dolstra1-1/+1
It's kinda pointless to check substituters on the remote side, since we just checked them locally.
2013-09-06 nix-shell: Support a .drv as argumentEelco Dolstra1-8/+13
Fixes #161.
2013-07-31 nix-shell: Don't disable Automake dependency trackingEelco Dolstra1-1/+2
Nixpkgs' stdenv disables dependency tracking by default. That makes sense for one-time builds, but in an interactive environment we expect repeated "make" invocations to do the right thing.
2013-07-19 nix-shell: Set $IN_NIX_SHELLEelco Dolstra1-0/+2
This allows scripts to distinguish between a real build and a Nix shell.
2013-07-19 nix-shell: Set some environment variables also set by build.ccEelco Dolstra1-1/+3
Setting $NIX_STORE causes the purity checks in gcc/ld-wrapper to kick in, so that's why we unset $NIX_ENFORCE_PURITY.
2013-07-19 Rename ‘nix-build --run-env’ to ‘nix-shell’Eelco Dolstra2-7/+10
2013-07-19 nix-build --run-env: Add a ‘--pure’ flagEelco Dolstra1-2/+15
This causes the environment to be (almost) cleared, thus giving a shell that more closely resembled the actual Nix derivation.
2013-07-18 Revert "build-remote.pl: Enforce timeouts locally"Eelco Dolstra1-2/+3
This reverts commit 69b8f9980f39c14a59365a188b300a34d625a2cd. The timeout should be enforced remotely. Otherwise, if the garbage collector is running either locally or remotely, if will block the build or closure copying for some time. If the garbage collector takes too long, the build may time out, which is not what we want. Also, on heavily loaded systems, copying large paths to and from the remote machine can take a long time, also potentially resulting in a timeout.
2013-07-11 build-remote.pl: Move "building ..." message to a better placeEelco Dolstra1-1/+1
2013-07-11 nix-build --run-env: Always use BashEelco Dolstra1-1/+1
Fixes #113. Fixes #131.
2013-07-11 nix-build --run-env: Source $stdenv/setup in the interactive shellEelco Dolstra1-8/+17
This ensures that not just environment variables are set, but also shell functions such as unpackPhase, configurePhase and so on.
2013-07-01 Add support for uncompressed NARs in binary cachesEelco Dolstra3-8/+12
Issue NixOS/hydra#102.
2013-07-01 copy-from-other-stores.pl: Respect $NIX_BIN_DIREelco Dolstra1-4/+4
2013-07-01 copy-from-other-stores.pl: Report downloaded size as 0Eelco Dolstra1-1/+1
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra3-4/+12
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-06-07 download-from-binary-cache.pl: Respect $NIX_CONNECT_TIMEOUTEelco Dolstra1-0/+1
2013-06-07 Replace $NIX_DEBUG_SUBST with an option ‘debug-subst’Eelco Dolstra1-1/+1
Thus passing ‘--option debug-subst 1’ allows daemon users to turn on debug info and see what the substituter is doing.
2013-06-07 download-from-binary-cache.pl: Show if we're waiting for a URLEelco Dolstra1-3/+15
Previously, if a binary cache is hanging/unreachable/slow, download-from-binary-cache.pl would also hang without any indication to the user. Now, if fetching a URL takes more than 5 seconds, it will print a message to that effect.
2013-06-05 download-from-binary-cache.pl: Fix race conditionEelco Dolstra1-3/+4
Fixes the error "DBD::SQLite::db do failed: column url is not unique".
2013-06-05 Update the default binary cache URL to cache.nixos.orgEelco Dolstra1-1/+1
2013-06-04 download-from-binary-cache.pl: Treat a 403 error as a 404Eelco Dolstra1-2/+2
Amazon S3 returns HTTP status code 403 if a file doesn't exist and the user has no permission to list the contents of the bucket. So treat it as 404 (meaning it's cached in the NARExistence table).
2013-05-29 build-remote.pl: Remove meaningless signing when importing the output pathsEelco Dolstra1-3/+1
The "$UID != 0" makes no sense: if the local side has write access to the Nix store (which is always the case) then it doesn't matter if we're root - we can import unsigned paths either way.
2013-05-23 build-remote.pl: Copy all outputs in one operationEelco Dolstra1-5/+5
2013-05-23 build-remote.pl: Indicate if remote machine is refusing buildsEelco Dolstra1-2/+3
Fixes #120.
2013-05-15 download-from-binary-cache.pl: Get rid of an uninitialized value warningEelco Dolstra1-1/+1
Reported by Pablo Costa.
2013-05-10 build-remote.pl: Properly close the SSH connection between attemptsEelco Dolstra1-3/+4
2013-05-10 build-remote.pl: Pass /dev/null as SSH's stdinEelco Dolstra1-1/+1
Otherwise it will set the parent's stdin to non-blocking mode, causing the subsequent read of the set of inputs/outputs to fail randomly. That's insane.
2013-05-10 build-remote.pl: Allow a machine to refuse a buildEelco Dolstra1-1/+3
Before selecting a machine, build-remote.pl will try to run the command "nix-builds-inhibited" on the machine. If this command exists and returns a 0 exit code, then the machine won't be used. It's up to the user to provide this command, but it would typically be a script that checks whether there is enough disk space and whether the load is not too high.
2013-05-09 build-remote.pl: Create one process fewer on the remote sideEelco Dolstra1-1/+1
2013-05-09 build-remote.pl: Enforce timeouts locallyEelco Dolstra1-3/+2
Don't pass --timeout / --max-silent-time to the remote builder. Instead, let the local Nix process terminate the build if it exceeds a timeout. The remote builder will be killed as a side-effect. This gives better error reporting (since the timeout message from the remote side wasn't properly propagated) and handles non-Nix problems like SSH hangs.
2013-05-07 Add option ‘extra-binary-caches’Eelco Dolstra1-1/+10
This allows providing additional binary caches, useful in scripts like Hydra's build reproduction scripts, in particular because untrusted caches are ignored.
2013-05-03 nix-copy-closure: Show a proper error message if no host name is givenEelco Dolstra1-0/+2
2013-05-03 Fixing the pv position regarding compressionLluís Batlle i Rossell1-1/+1
Problem noticed by niksnut.
2013-05-03 Fixing the pv reference; I didn't mean to change itLluís Batlle i Rossell1-1/+1