about summary refs log tree commit diff
path: root/src/libstore/build.cc
AgeCommit message (Collapse)AuthorFilesLines
2019-08-27 Merge branch 'test-sandboxing' of https://github.com/matthewbauer/nixEelco Dolstra1-3/+24
2019-08-23 Reset tmpDirInSandbox for unsandboxedMatthew Bauer1-0/+1
2019-08-07 Merge pull request #2995 from tweag/post-build-hookEelco Dolstra1-0/+55
Add a post build hook
2019-08-02 Use BSD instead of POSIX file locksEelco Dolstra1-17/+0
POSIX file locks are essentially incompatible with multithreading. BSD locks have much saner semantics. We need this now that there can be multiple concurrent LocalStore::buildPaths() invocations.
2019-08-02 Add a post-build-hookregnat1-0/+55
Passing `--post-build-hook /foo/bar` to a nix-* command will cause `/foo/bar` to be executed after each build with the following environment variables set: DRV_PATH=/nix/store/drv-that-has-been-built.drv OUT_PATHS=/nix/store/...build /nix/store/...build-bin /nix/store/...build-dev This can be useful in particular to upload all the builded artifacts to the cache (including the ones that don't appear in the runtime closure of the final derivation or are built because of IFD). This new feature prints the stderr/stdout output to the `nix-build` and `nix build` client, and the output is printed in a Nix 2 compatible format: [nix]$ ./inst/bin/nix-build ./test.nix these derivations will be built: /nix/store/ishzj9ni17xq4hgrjvlyjkfvm00b0ch9-my-example-derivation.drv building '/nix/store/ishzj9ni17xq4hgrjvlyjkfvm00b0ch9-my-example-derivation.drv'... hello! bye! running post-build-hook '/home/grahamc/projects/github.com/NixOS/nix/post-hook.sh'... post-build-hook: + sleep 1 post-build-hook: + echo 'Signing paths' /nix/store/qr213vjmibrqwnyp5fw678y7whbkqyny-my-example-derivation post-build-hook: Signing paths /nix/store/qr213vjmibrqwnyp5fw678y7whbkqyny-my-example-derivation post-build-hook: + sleep 1 post-build-hook: + echo 'Uploading paths' /nix/store/qr213vjmibrqwnyp5fw678y7whbkqyny-my-example-derivation post-build-hook: Uploading paths /nix/store/qr213vjmibrqwnyp5fw678y7whbkqyny-my-example-derivation post-build-hook: + sleep 1 post-build-hook: + printf 'very important stuff' /nix/store/qr213vjmibrqwnyp5fw678y7whbkqyny-my-example-derivation [nix-shell:~/projects/github.com/NixOS/nix]$ ./inst/bin/nix build -L -f ./test.nix my-example-derivation> hello! my-example-derivation> bye! my-example-derivation (post)> + sleep 1 my-example-derivation (post)> + echo 'Signing paths' /nix/store/c263gzj2kb2609mz8wrbmh53l14wzmfs-my-example-derivation my-example-derivation (post)> Signing paths /nix/store/c263gzj2kb2609mz8wrbmh53l14wzmfs-my-example-derivation my-example-derivation (post)> + sleep 1 my-example-derivation (post)> + echo 'Uploading paths' /nix/store/c263gzj2kb2609mz8wrbmh53l14wzmfs-my-example-derivation my-example-derivation (post)> Uploading paths /nix/store/c263gzj2kb2609mz8wrbmh53l14wzmfs-my-example-derivation my-example-derivation (post)> + sleep 1 my-example-derivation (post)> + printf 'very important stuff' [1 built, 0.0 MiB DL] Co-authored-by: Graham Christensen <graham@grahamc.com> Co-authored-by: Eelco Dolstra <edolstra@gmail.com>
2019-07-30 Don’t rely on EPERMMatthew Bauer1-2/+2
startProcess does not appear to send the exit code to the helper correctly. Not sure why this is, but it is probably safe to just fallback on all sandbox errors.
2019-07-25 Use sandbox fallback when cloning fails in builderMatthew Bauer1-1/+11
When sandbox-fallback = true (the default), the Nix builder will fall back to disabled sandbox mode when the kernel doesn’t allow users to set it up. This prevents hard errors from occuring in tricky places, especially the initial installer. To restore the previous behavior, users can set: sandbox-fallback = false in their /etc/nix/nix.conf configuration.
2019-07-25 Disable CLONE_NEWUSER when it’s unavailableMatthew Bauer1-2/+12
Some kernels disable "unpriveleged user namespaces". This is unfortunate, but we can still use mount namespaces. Anyway, since each builder has its own nixbld user, we already have most of the benefits of user namespaces.
2019-07-13 Merge pull request #2975 from matthewbauer/fix-nsswitch-issueEelco Dolstra1-1/+7
Don’t use entire /etc/nsswitch.conf file
2019-07-02 build: replace 100 offset for build exit codesDaiderd Jordan1-5/+19
2019-07-02 build: use binary mask for build status flagsDaiderd Jordan1-1/+9
If multiple builds with fail with different errors it will be reflected in the status code. eg. 103 => timeout + hash mismatch 105 => timeout + check mismatch 106 => hash mismatch + check mismatch 107 => timeout + hash mismatch + check mismatch
2019-07-02 build: add exit code for hash and check mismatchesDaiderd Jordan1-3/+13
Makes it easier to identify the failure reason in other tooling, eg. differentiate between a non-deterministic --check vs a failed build. $ nix-build '<nix/fetchurl.nix>' --argstr url http://example.org --argstr sha256 0000000000000000000000000000000000000000000000000000 hash mismatch in fixed-output derivation '/nix/store/nzi9ck45rwlxzcwr25is7qlf3hs5xl83-example.org': wanted: sha256:0000000000000000000000000000000000000000000000000000 got: sha256:08y4734bm2zahw75b16bcmcg587vvyvh0n11gwiyir70divwp1rm $ echo $? 102 $ nix-build -E 'with import <nixpkgs> {}; runCommand "foo" {} "date +%s > $out"' --check warning: rewriting hashes in '/nix/store/g3k47g0399fvjmbm0p0mnad74k4w8vkz-foo'; cross fingers error: derivation '/nix/store/mggc8dz13ackb49qca6m23zq4fpq132q-foo.drv' may not be deterministic: output '/nix/store/g3k47g0399fvjmbm0p0mnad74k4w8vkz-foo' differs $ echo $? 104
2019-06-27 Don’t use entire /etc/nsswitch.conf fileMatthew Bauer1-1/+7
The default nsswitch.conf(5) file in most distros can handle many different things including host name, user names, groups, etc. In Nix, we want to limit the amount of impurities that come from these things. As a result, we should only allow nss to be used for gethostbyname(3) and getservent(3). /cc @Ericson2314
2019-06-17 Another attempt at getting pseudoterminals to work on macOSEelco Dolstra1-0/+3
2019-06-16 Hopefully fix macOS testsEelco Dolstra1-4/+6
2019-06-16 Set $TERMEelco Dolstra1-0/+3
2019-06-16 Run builds in a pseudo-terminalEelco Dolstra1-8/+46
This allows many programs (e.g. gcc, clang, cmake) to print colorized log output (assuming $TERM is set to a value like "xterm"). There are other ways to get colors, in particular setting CLICOLOR_FORCE, but they're less widely supported and can break programs that parse tool output.
2019-05-13 Merge pull request #2802 from LnL7/fix-needs-hashrewriteEelco Dolstra1-12/+16
build: move needsHashRewrite initialization to startBuilder
2019-05-12 build: make needsHashRewrite a methodDaiderd Jordan1-12/+16
2019-05-12 handleDiffHook: stop passing allowVforkGraham Christensen1-3/+1
2019-05-12 runProgram: support gid, uid, chdirGraham Christensen1-20/+16
2019-05-12 chdir, setgroupsGraham Christensen1-0/+4
2019-05-12 diff hook: execute as the build user, and pass the temp dirGraham Christensen1-12/+29
2019-05-12 build: run diff-hook under --check and document diff-hookGraham Christensen1-12/+18
2019-05-12 build: move needsHashRewrite initialization to startBuilderDaiderd Jordan1-7/+7
The value of useChroot is not set yet in the constructor, resulting in hash rewriting being enabled in certain cases where it should not be. Fixes #2801
2019-05-03 Fix "Bad system call" running i686-linux binaries on x86_64-linuxEelco Dolstra1-4/+4
To determine which seccomp filters to install, we were incorrectly using settings.thisSystem, which doesn't denote the actual system when --system is used. Fixes #2791.
2019-04-17 build: only skip hash rewriting for sandboxing on linuxDaiderd Jordan1-2/+18
The sandbox on darwin, and possibly other future platforms, doesn't have enough isolation to redirect outputs without hash rewriting.
2019-04-01 primeCache(): Barf if builds are needed but not allowedEelco Dolstra1-0/+6
Fixes #2753.
2019-03-14 experimental/optional -> optionalEelco Dolstra1-5/+5
2019-02-05 Revert "Restore parent mount namespace before executing a child process"Eelco Dolstra1-2/+0
This reverts commit a0ef21262f4d5652bfb65cfacaec01d89c475a93. This doesn't work in 'nix run' and nix-shell because setns() fails in multithreaded programs, and Boehm GC mark threads are uncancellable. Fixes #2646.
2018-12-12 libstore: improve hash mismatch error messageszimbatm1-2/+2
Use the same output ordering and format everywhere. This is such a common issue that we trade the single-line error message for more readability. Old message: ``` fixed-output derivation produced path '/nix/store/d4nw9x2sy9q3r32f3g5l5h1k833c01vq-example.com' with sha256 hash '08y4734bm2zahw75b16bcmcg587vvyvh0n11gwiyir70divwp1rm' instead of the expected hash '1xzwnipjd54wl8g93vpw6hxnpmdabq0wqywriiwmh7x8k0lvpq5m' ``` New message: ``` hash mismatch in fixed-output derivation '/nix/store/d4nw9x2sy9q3r32f3g5l5h1k833c01vq-example.com': wanted: sha256:1xzwnipjd54wl8g93vpw6hxnpmdabq0wqywriiwmh7x8k0lvpq5m got: sha256:08y4734bm2zahw75b16bcmcg587vvyvh0n11gwiyir70divwp1rm ```
2018-11-15 Fix 'Read-only file system' when building a derivationEelco Dolstra1-0/+2
2018-10-27 Restore old (dis)allowedRequisites behaviour for self-referencesEelco Dolstra1-29/+34
stdenv relies on this. So ignore self-references (but only in legacy non-structured attributes mode).
2018-10-23 Per-output reference and closure size checksEelco Dolstra1-51/+168
In structured-attributes derivations, you can now specify per-output checks such as: outputChecks."out" = { # The closure of 'out' must not be larger than 256 MiB. maxClosureSize = 256 * 1024 * 1024; # It must not refer to C compiler or to the 'dev' output. disallowedRequisites = [ stdenv.cc "dev" ]; }; outputChecks."dev" = { # The 'dev' output must not be larger than 128 KiB. maxSize = 128 * 1024; }; Also fixed a bug in allowedRequisites that caused it to ignore self-references.
2018-09-28 Check requiredSystemFeatures for local buildsEelco Dolstra1-12/+9
For example, this prevents a "kvm" build on machines that don't have KVM. Fixes #2012.
2018-09-28 Move structured attrs handling into a separate classEelco Dolstra1-98/+15
This is primarily because Derivation::{can,will}BuildLocally() depends on attributes like preferLocalBuild and requiredSystemFeatures, but it can't handle them properly because it doesn't have access to the structured attributes.
2018-09-28 Remove obsolete check on system featuresEelco Dolstra1-1/+0
2018-09-28 Support special attributes in structured attributes derivationsEelco Dolstra1-94/+175
E.g. __noChroot and allowedReferences now work correctly. We also now check that the attribute type is correct. For instance, instead of allowedReferences = "out"; you have to write allowedReferences = [ "out" ]; Fixes #2453.
2018-09-07 If fallback is enabled, temporarily disable substituters after a failureEelco Dolstra1-0/+6
Otherwise, we just keep asking the substituter for other .narinfo files, which can take a very long time due to retries/timeouts.
2018-09-07 Handle queryPathInfo() failure from substituters when fallback is enabledEelco Dolstra1-0/+7
Fixes #1990.
2018-08-31 Add localhost alias for ::1 to the sandboxEelco Dolstra1-1/+1
2018-06-12 Fix #2162: use getaddrinfo instead of curl to preload NSSYorick van Pelt1-4/+8
2018-06-05 Don't require --fallback to recover from disappeared binary cache NARsEelco Dolstra1-11/+21
2018-05-30 Modularize config settingsEelco Dolstra1-2/+4
Allow global config settings to be defined in multiple Config classes. For example, this means that libutil can have settings and evaluator settings can be moved out of libstore. The Config classes are registered in a new GlobalConfig class to which config files etc. are applied. Relevant to https://github.com/NixOS/nix/issues/2009 in that it removes the need for ad hoc handling of useCaseHack, which was the underlying cause of that issue.
2018-05-03 Don't set a CA assertion for paths with referencesEelco Dolstra1-0/+2
Really fixes #2133.
2018-05-02 Fix some random -Wconversion warningsEelco Dolstra1-3/+3
2018-04-23 Merge branch 'aarch64-armv7' of git://github.com/lheckemann/nixShea Levy1-0/+4
Support extra compatible architectures (#1916)
2018-04-20 build.cc: fix bind-mount of /dev/{pts,ptmx} fallbackWill Dietz1-2/+2
Don't bind-mount these to themselves, mount them into the chroot directory. Fixes pty issues when using sandbox on CentOS 7.4. (build of perlPackages.IOTty fails before this change)
2018-04-17 exportReferences: Check whether the path is in the input closureEelco Dolstra1-11/+14
Fixes #2082.
2018-04-13 Fix #1921Eelco Dolstra1-1/+1