about summary refs log tree commit diff
path: root/src/libstore/globals.hh
AgeCommit message (Collapse)AuthorFilesLines
2017-10-12 Add option to disable the seccomp filterEelco Dolstra1-0/+6
I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
2017-09-05 Add automatic garbage collectionEelco Dolstra1-1/+9
Nix can now automatically run the garbage collector during builds or while adding paths to the store. The option "min-free = <bytes>" specifies that Nix should run the garbage collector whenever free space in the Nix store drops below <bytes>. It will then delete garbage until "max-free" bytes are available. Garbage collection during builds is asynchronous; running builds are not paused and new builds are not blocked. However, there also is a synchronous GC run prior to the first build/substitution. Currently, no old GC roots are deleted (as in "nix-collect-garbage -d").
2017-08-31 Rename a few configuration optionsEelco Dolstra1-36/+48
In particular, drop the "build-" and "gc-" prefixes which are pointless. So now you can say nix build --no-sandbox instead of nix build --no-build-use-sandbox
2017-07-17 Make the hashes mirrors used by builtins.fetchurl configurableEelco Dolstra1-0/+3
In particular, this allows it to be disabled in our tests.
2017-07-04 Add allow-new-privileges optionEelco Dolstra1-0/+6
This allows builds to call setuid binaries. This was previously possible until we started using seccomp. Turns out that seccomp by default disallows processes from acquiring new privileges. Generally, any use of setuid binaries (except those created by the builder itself) is by definition impure, but some people were relying on this ability for certain tests. Example: $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines: cannot raise the capability into the Ambient set : Operation not permitted $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms Fixes #1429.
2017-05-11 Add an option for extending the user agent headerEelco Dolstra1-0/+3
This is useful e.g. for distinguishing traffic to a binary cache (e.g. certain machines can use a different tag in the user agent).
2017-05-05 Make the location of the build directory in the sandbox configurableEelco Dolstra1-0/+3
This is mostly for use in the sandbox tests, since if the Nix store is under /build, then we can't use /build as the build directory.
2017-05-02 Replace $NIX_REMOTE_SYSTEMS with an option "builder-files"Eelco Dolstra1-0/+4
Also, to unify with hydra-queue-runner, allow it to be a list of files.
2017-05-02 Add an option for specifying remote buildersEelco Dolstra1-0/+3
This is useful for one-off situations where you want to specify a builder on the command line instead of having to mess with nix.machines. E.g. $ nix-build -A hello --argstr system x86_64-darwin \ --option builders 'root@macstadium1 x86_64-darwin' will perform the specified build on "macstadium1". It also removes the need for a separate nix.machines file since you can specify builders in nix.conf directly. (In fact nix.machines is yet another hack that predates the general nix.conf configuration file, IIRC.) Note: this option is supported by the daemon for trusted users. The fact that this allows trusted users to specify paths to SSH keys to which they don't normally have access is maybe a bit too much trust...
2017-05-01 Remove $NIX_BUILD_HOOK and $NIX_CURRENT_LOADEelco Dolstra1-0/+3
This is to simplify remote build configuration. These environment variables predate nix.conf. The build hook now has a sensible default (namely build-remote). The current load is kept in the Nix state directory now.
2017-04-20 Setting: Remove "Tag" template argumentEelco Dolstra1-4/+35
2017-04-20 Read per-user settings from ~/.config/nix/nix.confEelco Dolstra1-4/+0
2017-04-20 binary-caches-parallel-connections -> http-connectionsEelco Dolstra1-2/+3
2017-04-20 Reimplement trusted-substituters (aka trusted-binary-caches)Eelco Dolstra1-0/+4
2017-04-19 Reimplement connect-timeoutEelco Dolstra1-0/+3
Fixes #1339.
2017-04-14 DohEelco Dolstra1-1/+1
2017-04-13 Convert Settings to the new config systemEelco Dolstra1-159/+153
This makes all config options self-documenting. Unknown or unparseable config settings and --option flags now cause a warning.
2017-04-13 Merge branch 'rework-options' of https://github.com/copumpkin/nixEelco Dolstra1-8/+78
2017-03-30 Add exec primop behind allow-unsafe-native-code-during-evaluation.Shea Levy1-2/+2
Execute a given program with the (optional) given arguments as the user running the evaluation, parsing stdout as an expression to be evaluated. There are many use cases for nix that would benefit from being able to run arbitrary code during evaluation, including but not limited to: * Automatic git fetching to get a sha256 from a git revision * git rev-parse HEAD * Automatic extraction of information from build specifications from other tools, particularly language-specific package managers like cabal or npm * Secrets decryption (e.g. with nixops) * Private repository fetching Ideally, we would add this functionality in a more principled way to nix, but in the mean time 'builtins.exec' can be used to get these tasks done. The primop is only available when the 'allow-unsafe-native-code-during-evaluation' nix option is true. That flag also enables the 'importNative' primop, which is strictly more powerful but less convenient (since it requires compiling a plugin against the running version of nix).
2017-03-15 Store: Add a method for getting build logsEelco Dolstra1-3/+0
This allows various Store implementations to provide different ways to get build logs. For example, BinaryCacheStore can get the build logs from the binary cache. Also, remove the log-servers option since we can use substituters for this.
2017-03-08 Add option to disable import-from-derivation completely, even if the drv is ↵Shea Levy1-0/+3
already realized
2017-03-06 Properly set the caFile for aws-sdk-cpp s3Shea Levy1-0/+3
2017-02-22 Explicitly model all settings and fail on unrecognized onesDan Peebles1-8/+78
Previously, the Settings class allowed other code to query for string properties, which led to a proliferation of code all over the place making up new options without any sort of central registry of valid options. This commit pulls all those options back into the central Settings class and removes the public get() methods, to discourage future abuses like that. Furthermore, because we know the full set of options ahead of time, we now fail loudly if someone enters an unrecognized option, thus preventing subtle typos. With some template fun, we could probably also dump the full set of options (with documentation, defaults, etc.) to the command line, but I'm not doing that yet here.
2017-02-16 Move netrcFile to SettingsEelco Dolstra1-2/+4
Also get rid of Settings::processEnvironment(), it appears to be useless.
2016-12-06 nix-store --serve: Suppress log output on stderr when repeating a buildEelco Dolstra1-0/+5
2016-08-10 Remove $NIX_DB_DIREelco Dolstra1-3/+0
This variable has no reason to exist, given $NIX_STATE_DIR.
2016-04-29 Eliminate the substituter mechanismEelco Dolstra1-5/+0
Substitution is now simply a Store -> Store copy operation, most typically from BinaryCacheStore to LocalStore.
2016-04-25 Show the log tail when a build failsEelco Dolstra1-2/+6
If --no-build-output is given (which will become the default for the "nix" command at least), show the last 10 lines of the build output if the build fails.
2016-04-25 Remove --print-build-traceEelco Dolstra1-16/+0
This was added to support Hydra, but Hydra no longer uses it.
2016-04-25 Improved logging abstractionEelco Dolstra1-0/+1
This also gets rid of --log-type, since the nested log type isn't useful in a multi-threaded situation, and nobody cares about the "pretty" log type.
2016-04-08 Remove failed build cachingEelco Dolstra1-3/+0
This feature was implemented for Hydra, but Hydra no longer uses it.
2015-04-18 Add the pre-build hook.Shea Levy1-0/+4
This hook can be used to set system-specific per-derivation build settings that don't fit into the derivation model and are too complex or volatile to be hard-coded into nix. Currently, the pre-build hook can only add chroot dirs/files through the interface, but it also has full access to the chroot root. The specific use case for this is systems where the operating system ABI is more complex than just the kernel-support system calls. For example, on OS X there is a set of system-provided frameworks that can reliably be accessed by any program linked to them, no matter the version the program is running on. Unfortunately, those frameworks do not necessarily live in the same locations on each version of OS X, nor do their dependencies, and thus nix needs to know the specific version of OS X currently running in order to make those frameworks available. The pre-build hook is a perfect mechanism for doing just that.
2015-04-18 Revert "Add the pre-build hook."Shea Levy1-4/+0
Going to reimplement differently. This reverts commit 1e4a4a2e9fc382f47f58b448f3ee034cdd28218a.
2015-04-16 Fix using restricted mode with chrootsEelco Dolstra1-0/+2
2015-04-12 Add the pre-build hook.Shea Levy1-0/+4
This hook can be used to set system specific per-derivation build settings that don't fit into the derivation model and are too complex or volatile to be hard-coded into nix. Currently, the pre-build hook can only add chroot dirs/files. The specific use case for this is systems where the operating system ABI is more complex than just the kernel-supported system calls. For example, on OS X there is a set of system-provided frameworks that can reliably be accessed by any program linked to them, no matter the version the program is running on. Unfortunately, those frameworks do not necessarily live in the same locations on each version of OS X, nor do their dependencies, and thus nix needs to know the specific version of OS X currently running in order to make those frameworks available. The pre-build hook is a perfect mechanism for doing just that.
2015-04-09 Implement a TTL on cached fetchurl/fetchTarball resultsEelco Dolstra1-0/+2
This is because we don't want to do HTTP requests on every evaluation, even though we can prevent a full redownload via the cached ETag. The default is one hour.
2015-02-23 Use chroots for all derivationsEelco Dolstra1-3/+0
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are now also chrooted. However, unlike normal derivations, they don't get a private network namespace, so they can still access the network. Also, the use of the ‘__noChroot’ derivation attribute is no longer allowed. Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
2014-09-17 Settings: Add bool get()Eelco Dolstra1-0/+2
2014-08-05 DohEelco Dolstra1-9/+0
2014-08-04 Move some options out of globalsEelco Dolstra1-1/+3
2014-08-04 RefactorEelco Dolstra1-5/+5
2014-08-04 Add option ‘build-extra-chroot-dirs’Eelco Dolstra1-4/+0
This is useful for extending (rather than overriding) the default set of chroot paths.
2014-07-25 nix-daemon: Pass on the user's $SSH_AUTH_SOCK to the SSH substituterEelco Dolstra1-0/+2
2014-07-17 nix-daemon: Add trusted-users and allowed-users optionsEelco Dolstra1-0/+9
‘trusted-users’ is a list of users and groups that have elevated rights, such as the ability to specify binary caches. It defaults to ‘root’. A typical value would be ‘@wheel’ to specify all users in the wheel group. ‘allowed-users’ is a list of users and groups that are allowed to connect to the daemon. It defaults to ‘*’. A typical value would be ‘@users’ to specify the ‘users’ group.
2014-06-24 Only add the importNative primop if the ↵Shea Levy1-0/+3
allow-arbitrary-code-during-evaluation option is true (default false)
2014-05-21 nix-store -l: Fetch build logs from the InternetEelco Dolstra1-0/+3
If a build log is not available locally, then ‘nix-store -l’ will now try to download it from the servers listed in the ‘log-servers’ option in nix.conf. For instance, if you have: log-servers = http://hydra.nixos.org/log then it will try to get logs from http://hydra.nixos.org/log/<base name of the store path>. So you can do things like: $ nix-store -l $(which xterm) and get a log even if xterm wasn't built locally.
2014-02-26 Add use-ssh-substituter setting.Shea Levy1-0/+3
It defaults to false and can be overridden by RemoteStore. Untested currently, just quickly put this together
2014-02-14 Minor style fixesEelco Dolstra1-1/+1
2014-02-10 Pass in params by const refShea Levy1-1/+1
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 Add download-via-ssh substituterShea Levy1-0/+6
This substituter connects to a remote host, runs nix-store --serve there, and then forwards substituter commands on to the remote host and sends their results to the calling program. The ssh-substituter-hosts option can be specified as a list of hosts to try. This is an initial implementation and, while it works, it has some limitations: * Only the first host is used * There is no caching of query results (all queries are sent to the remote machine) * There is no informative output (such as progress bars) * Some failure modes may cause unhelpful error messages * There is no concept of trusted-ssh-substituter-hosts Signed-off-by: Shea Levy <shea@shealevy.com>