about summary refs log tree commit diff
path: root/src/libstore/local-store.cc
AgeCommit message (Collapse)AuthorFilesLines
2013-10-16 Retry all SQLite operationsEelco Dolstra1-128/+165
To deal with SQLITE_PROTOCOL, we also need to retry read-only operations.
2013-10-16 Fix a race in registerFailedPath()Eelco Dolstra1-2/+1
Registering the path as failed can fail if another process does the same thing after the call to hasPathFailed(). This is extremely unlikely though.
2013-10-16 Convenience macros for retrying a SQLite transactionEelco Dolstra1-46/+42
2013-10-16 Don't wrap read-only queries in a transactionEelco Dolstra1-6/+0
There is no risk of getting an inconsistent result here: if the ID returned by queryValidPathId() is deleted from the database concurrently, subsequent queries involving that ID will simply fail (since IDs are never reused).
2013-10-16 Print a distinct warning for SQLITE_PROTOCOLEelco Dolstra1-4/+8
2013-10-16 Treat SQLITE_PROTOCOL as SQLITE_BUSYEelco Dolstra1-1/+1
In the Hydra build farm we fairly regularly get SQLITE_PROTOCOL errors (e.g., "querying path in database: locking protocol"). The docs for this error code say that it "is returned if some other process is messing with file locks and has violated the file locking protocol that SQLite uses on its rollback journal files." However, the SQLite source code reveals that this error can also occur under high load: if( cnt>5 ){ int nDelay = 1; /* Pause time in microseconds */ if( cnt>100 ){ VVA_ONLY( pWal->lockError = 1; ) return SQLITE_PROTOCOL; } if( cnt>=10 ) nDelay = (cnt-9)*238; /* Max delay 21ms. Total delay 996ms */ sqlite3OsSleep(pWal->pVfs, nDelay); } i.e. if certain locks cannot be not acquired, SQLite will retry a number of times before giving up and returing SQLITE_PROTOCOL. The comments say: Circumstances that cause a RETRY should only last for the briefest instances of time. No I/O or other system calls are done while the locks are held, so the locks should not be held for very long. But if we are unlucky, another process that is holding a lock might get paged out or take a page-fault that is time-consuming to resolve, during the few nanoseconds that it is holding the lock. In that case, it might take longer than normal for the lock to free. ... The total delay time before giving up is less than 1 second. On a heavily loaded machine like lucifer (the main Hydra server), which often has dozens of processes waiting for I/O, it seems to me that a page fault could easily take more than a second to resolve. So, let's treat SQLITE_PROTOCOL as SQLITE_BUSY and retry the transaction. Issue NixOS/hydra#14.
2013-08-26 Fix typos, especially those that end up in the Nix manualIvan Kozik1-1/+1
2013-08-07 Run the daemon worker on the same CPU as the clientEelco Dolstra1-0/+2
On a system with multiple CPUs, running Nix operations through the daemon is significantly slower than "direct" mode: $ NIX_REMOTE= nix-instantiate '<nixos>' -A system real 0m0.974s user 0m0.875s sys 0m0.088s $ NIX_REMOTE=daemon nix-instantiate '<nixos>' -A system real 0m2.118s user 0m1.463s sys 0m0.218s The main reason seems to be that the client and the worker get moved to a different CPU after every call to the worker. This patch adds a hack to lock them to the same CPU. With this, the overhead of going through the daemon is very small: $ NIX_REMOTE=daemon nix-instantiate '<nixos>' -A system real 0m1.074s user 0m0.809s sys 0m0.098s
2013-06-20 Increase SQLite's auto-checkpoint intervalEelco Dolstra1-2/+2
Common operations like instantiating a NixOS system config no longer fitted in 8192 pages, leading to more fsyncs. So increase this limit.
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra1-2/+25
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-06-13 Allow hard links between the outputs of a derivationEelco Dolstra1-7/+8
2013-06-13 In repair mode, update the hash of rebuilt pathsEelco Dolstra1-3/+4
Otherwise subsequent invocations of "--repair" will keep rebuilding the path. This only happens if the path content differs between builds (e.g. due to timestamps).
2013-06-07 Remove obsolete EOF checksEelco Dolstra1-26/+18
2013-06-07 Process stderr from substituters while doing have/info queriesEelco Dolstra1-9/+50
2013-06-07 Buffer reads from the substituterEelco Dolstra1-10/+22
This greatly reduces the number of system calls.
2013-05-01 Don't let stderr writes in substituters cause a deadlockEelco Dolstra1-0/+4
2013-03-25 makeStoreWritable: Ask forgiveness, not permissionShea Levy1-2/+2
It is surprisingly impossible to check if a mountpoint is a bind mount on Linux, and in my previous commit I forgot to check if /nix/store was even a mountpoint at all. statvfs.f_flag is not populated with MS_BIND (and even if it were, my check was wrong in the previous commit). Luckily, the semantics of mount with MS_REMOUNT | MS_BIND make both checks unnecessary: if /nix/store is not a mountpoint, then mount will fail with EINVAL, and if /nix/store is not a bind-mount, then it will not be made writable. Thus, if /nix/store is not a mountpoint, we fail immediately (since we don't know how to make it writable), and if /nix/store IS a mountpoint but not a bind-mount, we fail at first write (see below for why we can't check and fail immediately). Note that, due to what is IMO buggy behavior in Linux, calling mount with MS_REMOUNT | MS_BIND on a non-bind readonly mount makes the mountpoint appear writable in two places: In the sixth (but not the 10th!) column of mountinfo, and in the f_flags member of struct statfs. All other syscalls behave as if the mount point were still readonly (at least for Linux 3.9-rc1, but I don't think this has changed recently or is expected to soon). My preferred semantics would be for MS_REMOUNT | MS_BIND to fail on a non-bind mount, as it doesn't make sense to remount a non bind-mount as a bind mount.
2013-03-25 makeStoreWritable: Use statvfs instead of /proc/self/mountinfo to find out ↵Shea Levy1-21/+12
if /nix/store is a read-only bind mount /nix/store could be a read-only bind mount even if it is / in its own filesystem, so checking the 4th field in mountinfo is insufficient. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra1-37/+79
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra1-79/+37
2013-02-28 Handle systems without lutimes() or lchown()Eelco Dolstra1-1/+1
2013-02-28 Handle symlinks properlyEelco Dolstra1-1/+1
Now it's really brown paper bag time...
2013-02-27 Handle hard links to other files in the outputEelco Dolstra1-6/+26
2013-02-27 Refactoring: Split off the non-recursive canonicalisePathMetaData()Eelco Dolstra1-35/+50
Also, change the file mode before changing the owner. This prevents a slight time window in which a setuid binary would be setuid root.
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra1-7/+10
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.
2013-01-23 Only warn about SQLite being busy onceEelco Dolstra1-1/+5
No need to get annoying.
2013-01-03 Open the database after removing immutable bitsEelco Dolstra1-1/+1
2013-01-03 Clear any immutable bits in the Nix storeEelco Dolstra1-1/+60
Doing this once makes subsequent operations like garbage collecting more efficient since we don't have to call makeMutable() first.
2012-12-11 On SQLITE_BUSY, wait a random amount of timeEelco Dolstra1-1/+1
If all contending processes wait a fixed amount of time (100 ms), there is a good probability that they'll just collide again.
2012-11-09 Use vfork() instead of fork() if availableEelco Dolstra1-5/+16
Hopefully this reduces the chance of hitting ‘unable to fork: Cannot allocate memory’ errors. vfork() is used for everything except starting builders.
2012-11-09 Remove some redundant close() callsEelco Dolstra1-2/+0
They are unnecessary because we set the close-on-exec flag.
2012-11-09 Remove the quickExit functionEelco Dolstra1-1/+1
2012-11-09 Remove a Darwin hack that should no longer be neededEelco Dolstra1-7/+0
2012-11-09 Remove unnecessary call to closeMostFDs()Eelco Dolstra1-1/+0
We have close-on-exec on all FDs now, and there is no security risk in passing open FDs to substituters anyway.
2012-11-06 canonicalizePathMetaData: Fall-back to utimes if lutimes fails due to ENOSYSShea Levy1-0/+2
2012-10-04 nix-store --verify: Continue on errorsEelco Dolstra1-2/+4
2012-10-03 Remove bin2cEelco Dolstra1-0/+2
2012-10-03 Add a ‘--repair’ flag to nix-instantiateEelco Dolstra1-8/+8
This allows repairing corrupted derivations and other source files.
2012-10-03 When repairing a derivation, check and repair the entire output closureEelco Dolstra1-4/+20
If we find a corrupted path in the output closure, we rebuild the derivation that produced that particular path.
2012-10-02 Add a --repair flag to ‘nix-store -r’ to repair derivation outputsEelco Dolstra1-0/+10
With this flag, if any valid derivation output is missing or corrupt, it will be recreated by using a substitute if available, or by rebuilding the derivation. The latter may use hash rewriting if chroots are not available.
2012-10-02 nix-store --verify: Add an option ‘--repair’ to repair all ↵Eelco Dolstra1-5/+20
missing/corrupt paths Also, return a non-zero exit code if errors remain after verifying/repairing.
2012-09-25 Make the store writable before creating /nix/store/.linksEelco Dolstra1-2/+1
2012-09-19 Remove setting of the immutable bitEelco Dolstra1-2/+0
Using the immutable bit is problematic, especially in conjunction with store optimisation. For instance, if the garbage collector deletes a file, it has to clear its immutable bit, but if the file has additional hard links, we can't set the bit afterwards because we don't know the remaining paths. So now that we support having the entire Nix store as a read-only mount, we may as well drop the immutable bit. Unfortunately, we have to keep the code to clear the immutable bit for backwards compatibility.
2012-09-19 Support having /nix/store as a read-only bind mountEelco Dolstra1-0/+39
It turns out that the immutable bit doesn't work all that well. A better way is to make the entire Nix store a read-only bind mount, i.e. by doing $ mount --bind /nix/store /nix/store $ mount -o remount,ro,bind /nix/store (This would typically done in an early boot script, before anything from /nix/store is used.) Since Nix needs to be able to write to the Nix store, it now detects if /nix/store is a read-only bind mount and then makes it writable in a private mount namespace.
2012-09-19 Templatise tokenizeString()Eelco Dolstra1-3/+3
2012-09-13 Vacuum the SQLite DB after running the garbage collectorEelco Dolstra1-0/+7
2012-08-01 Report substituter errors to clients of the Nix daemonEelco Dolstra1-21/+37
2012-07-30 Refactor settings processingEelco Dolstra1-33/+31
Put all Nix configuration flags in a Settings object.
2012-07-30 Pass configuration settings to the substitutersEelco Dolstra1-0/+4
Previously substituters could read nix.conf themselves, but this didn't take --option flags into account.
2012-07-30 Remove unused variablesEelco Dolstra1-2/+0