about summary refs log tree commit diff
path: root/src/libstore/build.cc
AgeCommit message (Collapse)AuthorFilesLines
2015-11-14 simplify build permissionsJude Taylor1-13/+3
2015-11-14 use per-derivation sandbox profilesJude Taylor1-28/+39
2015-11-09 Add option to verify build determinismEelco Dolstra1-9/+53
Passing "--option build-repeat <N>" will cause every build to be repeated N times. If the build output differs between any round, the build is rejected, and the output paths are not registered as valid. This is primarily useful to verify build determinism. (We already had a --check option to repeat a previously succeeded build. However, with --check, non-deterministic builds are registered in the DB. Preventing that is useful for Hydra to ensure that non-deterministic builds don't end up getting published at all.)
2015-11-09 Revert "Allow using /bin and /usr/bin as impure prefixes on non-darwin by ↵Eelco Dolstra1-1/+1
default" This reverts commit 79ca5033329053caa364bb2f7e50953f859cc97f. Ouch, never noticed this. We definitely don't want to allow builds to have arbitrary access to /bin and /usr/bin, because then they can (for instance) bring in a bunch of setuid programs. Also, we shouldn't be encouraging the use of impurities in the default configuration.
2015-10-29 int2String() -> std::to_string()Eelco Dolstra1-2/+2
2015-10-21 use nixDataDir instead of appending /share to PREFIXJude Taylor1-1/+1
2015-10-21 clarifying commentJude Taylor1-1/+5
2015-10-21 move preBuildHook defaulting to globals.ccJude Taylor1-7/+0
2015-10-21 restore old DEFAULT_ALLOWED_IMPURE_PREFIXESJude Taylor1-1/+1
2015-10-21 Add resolve-system-dependencies.plJude Taylor1-0/+7
2015-10-21 fix line reading in preBuildHookJude Taylor1-1/+1
2015-10-21 remove sandbox defaults into a new fileJude Taylor1-65/+5
2015-10-21 restore allowed impure prefixesJude Taylor1-1/+1
2015-10-21 remove an unneeded default impure-depJude Taylor1-1/+0
2015-10-21 make sandbox builds more permissiveJude Taylor1-2/+2
2015-10-21 add a few more permissionsJude Taylor1-3/+45
2015-10-21 Allow builtin fetchurl regardless of the derivation's system attributeEelco Dolstra1-12/+13
2015-10-21 Fix segfault in builtin fetchurlEelco Dolstra1-3/+7
The stack allocated for the builder was way too small (32 KB). This is sufficient for normal derivations, because they just do some setup and then exec() the actual builder. But for the fetchurl builtin derivation it's not enough. Also, allocating the stack on the caller's stack was fishy business.
2015-10-08 Allow building ARMv6 stuff on ARMv7Tuomas Tynkkynen1-0/+1
This allows building a Raspberry Pi image on modern, faster boards.
2015-10-06 nix-store --serve: Implement log size limitEelco Dolstra1-1/+2
2015-09-18 Shut up clang warningsEelco Dolstra1-4/+4
2015-09-02 Filter build-chroot-dirs entries that conflict with derivation outputsEelco Dolstra1-4/+4
Fixes https://github.com/NixOS/nixpkgs/issues/9504. Note that this means we may have a non-functional /bin/sh in the chroot while rebuilding Bash or one of its dependencies. Ideally those packages don't rely on /bin/sh though.
2015-09-02 Remove unused variableEelco Dolstra1-5/+0
2015-08-24 Prevent .chroot from being GC'ed when using LocalStore::buildDerivation()Eelco Dolstra1-0/+4
Fixes #616.
2015-08-19 Remove unneeded HAVE_UNSHARE.Manolis Ragkousis1-1/+1
* src/libstore/build.cc (CHROOT_ENABLED): Remove HAVE_UNSHARE.
2015-08-04 Don't include <iostream> before config.hEelco Dolstra1-2/+2
This breaks the build on 32-bit systems. http://hydra.nixos.org/build/24373658
2015-08-03 Handle debug messages from runChild()Eelco Dolstra1-10/+16
Turns out that "nix-build -vvv" with chroots enabled has been broken for some time, because some debug message got interpreted as an error.
2015-07-26 Remove unnecessary parenthesesEelco Dolstra1-2/+2
2015-07-21 Fix Darwin buildEelco Dolstra1-1/+4
Turns out getgrouplist() is not POSIX. http://hydra.nixos.org/build/23881243
2015-07-20 Make <nix/fetchurl.nix> a builtin builderEelco Dolstra1-3/+25
This ensures that 1) the derivation doesn't change when Nix changes; 2) the derivation closure doesn't contain Nix and its dependencies; 3) we don't have to rely on ugly chroot hacks.
2015-07-20 Provide more detailed info about build status to hydra-queue-runnerEelco Dolstra1-43/+61
In particular, hydra-queue-runner can now distinguish between remote build / substitution / already-valid. For instance, if a path already existed on the remote side, we don't want to store a log file.
2015-07-17 OCD: foreach -> C++11 ranged forEelco Dolstra1-103/+101
2015-07-17 Allow remote builds without sending the derivation closureEelco Dolstra1-137/+206
Previously, to build a derivation remotely, we had to copy the entire closure of the .drv file to the remote machine, even though we only need the top-level derivation. This is very wasteful: the closure can contain thousands of store paths, and in some Hydra use cases, include source paths that are very large (e.g. Git/Mercurial checkouts). So now there is a new operation, StoreAPI::buildDerivation(), that performs a build from an in-memory representation of a derivation (BasicDerivation) rather than from a on-disk .drv file. The only files that need to be in the Nix store are the sources of the derivation (drv.inputSrcs), and the needed output paths of the dependencies (as described by drv.inputDrvs). "nix-store --serve" exposes this interface. Note that this is a privileged operation, because you can construct a derivation that builds any store path whatsoever. Fixing this will require changing the hashing scheme (i.e., the output paths should be computed from the other fields in BasicDerivation, allowing them to be verified without access to other derivations). However, this would be quite nice because it would allow .drv-free building (e.g. "nix-env -i" wouldn't have to write any .drv files to disk). Fixes #173.
2015-07-02 TypoEelco Dolstra1-1/+1
2015-07-01 Preserve supplementary groups of build usersLudovic Courtès1-2/+18
The following patch is an attempt to address this bug (see <http://bugs.gnu.org/18994>) by preserving the supplementary groups of build users in the build environment. In practice, I would expect that supplementary groups would contain only one or two groups: the build users group, and possibly the “kvm” group. [Changed &at(0) to data() and removed tabs - Eelco]
2015-06-10 Export outputPaths functionEelco Dolstra1-11/+2
This is useful for the new hydra-queue-runner.
2015-06-09 Use std::vector::data()Eelco Dolstra1-5/+2
2015-06-04 Allow substitutes for builds that have preferLocalBuild setEelco Dolstra1-8/+14
Not substituting builds with "preferLocalBuild = true" was a bad idea, because it didn't take the cost of dependencies into account. For instance, if we can't substitute a fetchgit call, then we have to download/build git and all its dependencies. Partially reverts 5558652709f27e8a887580b77b93c705659d7a4b and adds a new derivation attribute "allowSubstitutes" to specify whether a derivation may be substituted.
2015-06-04 Chown files created for passAsFileEelco Dolstra1-2/+7
Nixpkgs' writeTextAsFile does this: mv "$textPath" "$n" Since $textPath was owned by root, if $textPath is on the same filesystem as $n, $n will be owned as root. As a result, the build result was rejected as having suspicious ownership. http://hydra.nixos.org/build/22836807
2015-05-13 cygwin: explicitly include required c headersRok Garbas1-0/+1
2015-05-12 Don't try to map /bin/sh to a store path on non-LinuxShea Levy1-0/+2
2015-04-18 Add the pre-build hook.Shea Levy1-0/+36
This hook can be used to set system-specific per-derivation build settings that don't fit into the derivation model and are too complex or volatile to be hard-coded into nix. Currently, the pre-build hook can only add chroot dirs/files through the interface, but it also has full access to the chroot root. The specific use case for this is systems where the operating system ABI is more complex than just the kernel-support system calls. For example, on OS X there is a set of system-provided frameworks that can reliably be accessed by any program linked to them, no matter the version the program is running on. Unfortunately, those frameworks do not necessarily live in the same locations on each version of OS X, nor do their dependencies, and thus nix needs to know the specific version of OS X currently running in order to make those frameworks available. The pre-build hook is a perfect mechanism for doing just that.
2015-04-18 Revert "Add the pre-build hook."Shea Levy1-107/+0
Going to reimplement differently. This reverts commit 1e4a4a2e9fc382f47f58b448f3ee034cdd28218a.
2015-04-12 Add the pre-build hook.Shea Levy1-0/+107
This hook can be used to set system specific per-derivation build settings that don't fit into the derivation model and are too complex or volatile to be hard-coded into nix. Currently, the pre-build hook can only add chroot dirs/files. The specific use case for this is systems where the operating system ABI is more complex than just the kernel-supported system calls. For example, on OS X there is a set of system-provided frameworks that can reliably be accessed by any program linked to them, no matter the version the program is running on. Unfortunately, those frameworks do not necessarily live in the same locations on each version of OS X, nor do their dependencies, and thus nix needs to know the specific version of OS X currently running in order to make those frameworks available. The pre-build hook is a perfect mechanism for doing just that.
2015-04-07 Revert /nix/store permission back to 01775Eelco Dolstra1-1/+1
This broke NixOS VM tests. Mostly reverts 27b7b94923d2f207781b438bb7a57669bddf7d2b, 5ce50cd99e740d0d0f18c30327ae687be9356553, afa433e58c3fe6029660a43fdc2073c9d15b4210.
2015-04-02 Chroot builds: Provide world-readable /nix/storeEelco Dolstra1-1/+1
This was causing NixOS VM tests to fail mysteriously since 5ce50cd99e740d0d0f18c30327ae687be9356553. Nscd could (sometimes) no longer read /etc/hosts: open("/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) Probably there was some wacky interaction between the guest kernel and the 9pfs implementation in QEMU.
2015-03-24 Improve setting the default chroot dirsEelco Dolstra1-1/+6
2015-03-24 Add the closure of store paths to the chrootEelco Dolstra1-0/+8
Thus, for example, to get /bin/sh in a chroot, you only need to specify /bin/sh=${pkgs.bash}/bin/sh in build-chroot-dirs. The dependencies of sh will be added automatically.
2015-03-24 Tighten permissions on chroot directoriesEelco Dolstra1-2/+12
2015-03-04 Don't use vfork() before clone()Eelco Dolstra1-1/+3
I'm seeing hangs in Glibc's setxid_mark_thread() again. This is probably because the use of an intermediate process to make clone() safe from a multi-threaded program (see 524f89f1399724e596f61faba2c6861b1bb7b9c5) is defeated by the use of vfork(), since the intermediate process will have a copy of Glibc's threading data structures due to the vfork(). So use a regular fork() again.