about summary refs log tree commit diff
path: root/src/libstore/build.cc
AgeCommit message (Collapse)AuthorFilesLines
2018-02-19 Don't silently succeed seccomp setup when !HAVE_SECCOMP.Shea Levy1-2/+7
Running Nix with build users without seccomp on Linux is dangerous, and administrators should very explicitly opt-in to it.
2018-02-18 configure: Add a flag to disable seccomp.Shea Levy1-1/+3
This is needed for new arches where libseccomp support doesn't exist yet. Fixes #1878.
2018-02-12 Fix 'deadlock: trying to re-acquire self-held lock'Eelco Dolstra1-13/+17
This was caused by derivations with 'allowSubstitutes = false'. Such derivations will be built locally. However, if there is another SubstitionGoal that has the output of the first derivation in its closure, then the path will be simultaneously built and substituted. There was a check to catch this situation (via pathIsLockedByMe()), but it no longer worked reliably because substitutions are now done in another thread. (Thus the comment 'It can't happen between here and the lockPaths() call below because we're not allowing multi-threading' was no longer valid.) The fix is to handle the path already being locked in both SubstitutionGoal and DerivationGoal.
2018-02-09 nix: Ensure that the user sees errors from substitutersEelco Dolstra1-3/+3
2018-02-07 Improve filtering of ANSI escape sequences in build logsEelco Dolstra1-1/+1
All ANSI sequences except color setting are now filtered out. In particular, terminal resets (such as from NixOS VM tests) are filtered out. Also, fix the completely broken tab character handling.
2018-02-05 Allow substituters to be marked as trustedEelco Dolstra1-2/+5
This is needed by nixos-install, which uses the Nix store on the installation CD as a substituter. We don't want to disable signature checking entirely because substitutes from cache.nixos.org should still be checked. So now we can pas "local?trusted=1" to mark only the Nix store in /nix as not requiring signatures. Fixes #1819.
2018-02-05 Fix segfault using non-binary cache stores as substitutersEelco Dolstra1-1/+1
2018-02-03 Remove nix-build --hashEelco Dolstra1-20/+27
Instead, if a fixed-output derivation produces has an incorrect output hash, we now unconditionally move the outputs to the path corresponding with the actual hash and register it as valid. Thus, after correcting the hash in the Nix expression (e.g. in a fetchurl call), the fixed-output derivation doesn't have to be built again. It would still be good to have a command for reporting the actual hash of a fixed-output derivation (instead of throwing an error), but "nix-build --hash" didn't do that.
2018-01-23 Fix obscure corner case in name resolution for builtin:fetchurl in sandboxed ↵Dan Peebles1-0/+17
environments
2018-01-19 Rewrite builtin derivation environmentEelco Dolstra1-1/+6
Also add a test. Fixes #1803. Closes #1805.
2018-01-15 Barf when using a diverted store on macOSEelco Dolstra1-2/+7
Fixes #1792.
2017-12-11 Mark comparison call operator as constWill Dietz1-2/+2
2017-11-28 Show log tail when a remote build failsEelco Dolstra1-2/+2
2017-10-30 Merge pull request #1646 from copumpkin/optional-sandbox-local-networkEelco Dolstra1-3/+9
Allow optional localhost network access to sandboxed derivations
2017-10-30 Allow optional localhost network access to sandboxed derivationsDan Peebles1-3/+9
This will allow bind and connect to 127.0.0.1, which can reduce purity/ security (if you're running a vulnerable service on localhost) but is also needed for a ton of test suites, so I'm leaving it turned off by default but allowing certain derivations to turn it on as needed. It also allows DNS resolution of arbitrary hostnames but I haven't found a way to avoid that. In principle I'd just want to allow resolving localhost but that doesn't seem to be possible. I don't think this belongs under `build-use-sandbox = relaxed` because we want it on Hydra and I don't think it's the end of the world.
2017-10-25 Fix building on clangEelco Dolstra1-2/+2
https://hydra.nixos.org/build/62945761
2017-10-25 exportReferencesGraph: Allow exporting a list of store pathsEelco Dolstra1-14/+22
2017-10-25 Fix exportReferencesGraph in the structured attrs caseEelco Dolstra1-69/+68
2017-10-25 Pass lists/attrsets to bash as (associative) arraysEelco Dolstra1-3/+93
2017-10-24 More progress indicator improvementsEelco Dolstra1-13/+9
In particular, don't show superfluous "fetching path" and "building path(s)" messages, and show the current round (with --repeat).
2017-10-24 More progress indicator improvementsEelco Dolstra1-4/+4
Fixes #1599.
2017-10-24 Progress indicator: Show on what machine we're buildingEelco Dolstra1-3/+7
E.g. $ nix build nixpkgs.hello --builders 'root@wendy' [1/0/1 built] building hello-2.10 on ssh://root@wendy: checking for minix/config.h... no
2017-10-24 Handle log messages from build-remoteEelco Dolstra1-114/+22
This makes the progress indicator show statuses like "connecting to 'root@machine'".
2017-10-24 Remove the remote-builds optionEelco Dolstra1-2/+6
This is superfluous since you can now just set "builders" to empty, e.g. "--builders ''".
2017-10-23 Pass all settings to build-remoteEelco Dolstra1-10/+18
This ensures that command line flags such as --builders get passed correctly.
2017-10-17 Shift Darwin sandbox to separate installed filesDan Peebles1-9/+5
This makes it slightly more manageable to see at a glance what in a build's sandbox profile is unique to the build and what is standard. Also a first step to factoring more of our Darwin logic into scheme functions that will allow us a bit more flexibility. And of course less of that nasty codegen in C++! 😀
2017-10-12 Add option to disable the seccomp filterEelco Dolstra1-0/+2
I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
2017-09-08 Communicate the structured log FD to buildersEelco Dolstra1-1/+6
Since we may use a dedicated file descriptor in the future, this allows us to change it. So builders can do if [[ -n $NIX_LOG_FD ]]; then echo "@nix { message... }" >&$NIX_LOG_FD fi
2017-09-05 Add automatic garbage collectionEelco Dolstra1-0/+5
Nix can now automatically run the garbage collector during builds or while adding paths to the store. The option "min-free = <bytes>" specifies that Nix should run the garbage collector whenever free space in the Nix store drops below <bytes>. It will then delete garbage until "max-free" bytes are available. Garbage collection during builds is asynchronous; running builds are not paused and new builds are not blocked. However, there also is a synchronous GC run prior to the first build/substitution. Currently, no old GC roots are deleted (as in "nix-collect-garbage -d").
2017-08-31 Call queryMissing() prior to buildingEelco Dolstra1-0/+12
Without this, substitute info is fetched sequentially, which is superslow. In the old UI (e.g. nix-build), we call printMissing(), which calls queryMissing(), thereby preheating the binary cache cache. But the new UI doesn't do that.
2017-08-31 Rename a few configuration optionsEelco Dolstra1-3/+3
In particular, drop the "build-" and "gc-" prefixes which are pointless. So now you can say nix build --no-sandbox instead of nix build --no-build-use-sandbox
2017-08-28 Give activities a verbosity level againEelco Dolstra1-4/+6
And print them (separately from the progress bar) given sufficient -v flags.
2017-08-25 SimplifyEelco Dolstra1-10/+36
2017-08-25 Allow derivations to update the build phaseEelco Dolstra1-0/+5
So the progress bar can show [1/0/1 built, 0.0 MiB DL] building hello-2.10 (configuring): checking whether pread is declared without a macro... yes
2017-08-25 Allow activities to be nestedEelco Dolstra1-3/+6
In particular, this allows more relevant activities ("substituting X") to supersede inferior ones ("downloading X").
2017-08-25 Restore activity metadataEelco Dolstra1-2/+5
This allows the progress bar to display "building perl-5.22.3" instead of "building /nix/store/<hash>-perl-5.22.3.drv".
2017-08-21 Clean up JSON constructionEelco Dolstra1-3/+18
2017-08-21 Allow builders to create activitiesEelco Dolstra1-6/+72
Actually, currently they can only create download activities. Thus, downloads by builtins.fetchurl show up in the progress bar.
2017-08-16 nix optimise-store: Show how much space has been freedEelco Dolstra1-1/+1
2017-08-16 Progress indicator: CleanupEelco Dolstra1-7/+7
2017-08-16 Progress indicator: More improvementsEelco Dolstra1-9/+47
2017-08-16 Progress indicator: Show number of active itemsEelco Dolstra1-12/+8
2017-08-16 Progress indicator: Unify "copying" and "substituting"Eelco Dolstra1-6/+13
They're the same thing after all. Example: $ nix build --store local?root=/tmp/nix nixpkgs.firefox-unwrapped [0/1 built, 49/98 copied, 16.3/92.8 MiB DL, 55.8/309.2 MiB copied] downloading 'https://cache.nixos.org/nar/0pl9li1jigcj2dany47hpmn0r3r48wc4nz48v5mqhh426lgz3bz6.nar.xz'
2017-08-16 Improve substitution progress indicatorEelco Dolstra1-1/+54
E.g. $ nix build --store local?root=/tmp/nix nixpkgs.firefox-unwrapped [0/1 built, 1/97/98 fetched, 65.8/92.8 MiB DL, 203.2/309.2 MiB copied] downloading 'https://cache.nixos.org/nar/1czm9fk0svacy4h6a3fzkpafi4f7a9gml36kk8cq1igaghbspg3k.nar.xz'
2017-08-09 Use /proc/self/fd to efficiently close all FDs on LinuxEelco Dolstra1-1/+1
Issue #1506.
2017-07-30 Replace Unicode quotes in user-facing strings by ASCIIJörg Thalheim1-102/+102
Relevant RFC: NixOS/rfcs#4 $ ag -l | xargs sed -i -e "/\"/s/’/'/g;/\"/s/‘/'/g"
2017-07-20 FD_SETSIZE check: BuildError -> ErrorEelco Dolstra1-3/+2
BuildError denotes a permanent build failure, which is not the case here.
2017-07-18 Do not try to fill fd_set with fd>=FD_SETSIZEDmitry Kalinkin1-0/+3
This is UB and causes buffer overflow and crash on linux.
2017-07-04 Add X32 to the seccomp filterEelco Dolstra1-0/+4
Fixes #1432.
2017-07-04 Add allow-new-privileges optionEelco Dolstra1-0/+3
This allows builds to call setuid binaries. This was previously possible until we started using seccomp. Turns out that seccomp by default disallows processes from acquiring new privileges. Generally, any use of setuid binaries (except those created by the builder itself) is by definition impure, but some people were relying on this ability for certain tests. Example: $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines: cannot raise the capability into the Ambient set : Operation not permitted $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms Fixes #1429.