about summary refs log tree commit diff
path: root/src/libstore/local-store.hh
AgeCommit message (Collapse)AuthorFilesLines
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra1-2/+2
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra1-2/+2
2013-02-27 Refactoring: Split off the non-recursive canonicalisePathMetaData()Eelco Dolstra1-1/+1
Also, change the file mode before changing the owner. This prevents a slight time window in which a setuid binary would be setuid root.
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra1-2/+2
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.
2013-01-03 Clear any immutable bits in the Nix storeEelco Dolstra1-2/+3
Doing this once makes subsequent operations like garbage collecting more efficient since we don't have to call makeMutable() first.
2012-12-20 nix-store -q --roots: Respect the gc-keep-outputs/gc-keep-derivations settingsEelco Dolstra1-4/+0
So if a path is not garbage solely because it's reachable from a root due to the gc-keep-outputs or gc-keep-derivations settings, ‘nix-store -q --roots’ now shows that root.
2012-12-20 Yet another rewrite of the garbage collectorEelco Dolstra1-1/+5
But this time it's *obviously* correct! No more segfaults due to infinite recursions for sure, etc. Also, move directories to /nix/store/trash instead of renaming them to /nix/store/bla-gc-<pid>. Then we can just delete /nix/store/trash at the end.
2012-11-09 Use vfork() instead of fork() if availableEelco Dolstra1-0/+4
Hopefully this reduces the chance of hitting ‘unable to fork: Cannot allocate memory’ errors. vfork() is used for everything except starting builders.
2012-10-03 Add a ‘--repair’ flag to nix-instantiateEelco Dolstra1-3/+3
This allows repairing corrupted derivations and other source files.
2012-10-03 When repairing a derivation, check and repair the entire output closureEelco Dolstra1-0/+5
If we find a corrupted path in the output closure, we rebuild the derivation that produced that particular path.
2012-10-02 Add a --repair flag to ‘nix-store -r’ to repair derivation outputsEelco Dolstra1-1/+5
With this flag, if any valid derivation output is missing or corrupt, it will be recreated by using a substitute if available, or by rebuilding the derivation. The latter may use hash rewriting if chroots are not available.
2012-10-02 nix-store --verify: Add an option ‘--repair’ to repair all ↵Eelco Dolstra1-3/+4
missing/corrupt paths Also, return a non-zero exit code if errors remain after verifying/repairing.
2012-10-02 Add operation ‘nix-store --repair-path’Eelco Dolstra1-0/+4
This operation allows fixing corrupted or accidentally deleted store paths by redownloading them using substituters, if available. Since the corrupted path cannot be replaced atomically, there is a very small time window (one system call) during which neither the old (corrupted) nor the new (repaired) contents are available. So repairing should be used with some care on critical packages like Glibc.
2012-09-19 Support having /nix/store as a read-only bind mountEelco Dolstra1-0/+2
It turns out that the immutable bit doesn't work all that well. A better way is to make the entire Nix store a read-only bind mount, i.e. by doing $ mount --bind /nix/store /nix/store $ mount -o remount,ro,bind /nix/store (This would typically done in an early boot script, before anything from /nix/store is used.) Since Nix needs to be able to write to the Nix store, it now detects if /nix/store is a read-only bind mount and then makes it writable in a private mount namespace.
2012-09-13 Vacuum the SQLite DB after running the garbage collectorEelco Dolstra1-0/+2
2012-08-27 Merge branch 'master' into no-manifestsEelco Dolstra1-3/+2
2012-08-01 Count bytes freed deleting unused linksEelco Dolstra1-1/+1
2012-08-01 Drop the block count in the garbage collectorEelco Dolstra1-2/+1
2012-08-01 Report substituter errors to clients of the Nix daemonEelco Dolstra1-1/+1
2012-07-30 Refactor settings processingEelco Dolstra1-26/+23
Put all Nix configuration flags in a Settings object.
2012-07-30 Remove unused variablesEelco Dolstra1-3/+0
2012-07-26 Merge branch 'master' into no-manifestsEelco Dolstra1-6/+11
2012-07-23 Garbage collect unused links in /nix/store/.linksEelco Dolstra1-0/+2
Incremental optimisation requires creating links in /nix/store/.links to all files in the store. However, this means that if we delete a store path, no files are actually deleted because links in /nix/store/.links still exists. So we need to check /nix/store/.links for files with a link count of 1 and delete them.
2012-07-23 Automatically optimise the Nix store when a new path is addedEelco Dolstra1-0/+7
Auto-optimisation is enabled by default. It can be turned off by setting auto-optimise-store to false in nix.conf.
2012-07-23 optimiseStore(): Use a content-addressed file store in /nix/store/.linksEelco Dolstra1-1/+1
optimiseStore() now creates persistent, content-addressed hard links in /nix/store/.links. For instance, if it encounters a file P with hash H, it will create a hard link P' = /nix/store/.link/<H> to P if P' doesn't already exist; if P' exist, then P is replaced by a hard link to P'. This is better than the previous in-memory map, because it had the tendency to unnecessarily replace hard links with a hard link to whatever happened to be the first file with a given hash it encountered. It also allows on-the-fly, incremental optimisation.
2012-07-18 Use "#pragma once" to prevent repeated header file inclusionEelco Dolstra1-5/+1
2012-07-18 Merge branch 'master' into no-manifestsEelco Dolstra1-0/+3
2012-07-17 Add function queryPathFromHashPart()Eelco Dolstra1-0/+3
To implement binary caches efficiently, Hydra needs to be able to map the hash part of a store path (e.g. "gbg...zr7") to the full store path (e.g. "/nix/store/gbg...kzr7-subversion-1.7.5"). (The binary cache mechanism uses hash parts as a key for looking up store paths to ensure privacy.) However, doing a search in the Nix store for /nix/store/<hash>* is expensive since it requires reading the entire directory. queryPathFromHashPart() prevents this by doing a cheap database lookup.
2012-07-11 Replace hasSubstitutes() with querySubstitutablePaths()Eelco Dolstra1-3/+1
querySubstitutablePaths() takes a set of paths, so this greatly reduces daemon <-> client latency.
2012-07-11 Add a function queryValidPaths()Eelco Dolstra1-0/+2
queryValidPaths() combines multiple calls to isValidPath() in one. This matters when using the Nix daemon because it reduces latency. For instance, on "nix-env -qas \*" it reduces execution time from 5.7s to 4.7s (which is indistinguishable from the non-daemon case).
2012-07-11 Rename queryValidPaths() to queryAllValidPaths()Eelco Dolstra1-1/+1
2012-07-11 Implement querySubstitutablePathInfos() in the daemonEelco Dolstra1-3/+0
Also removed querySubstitutablePathInfo().
2012-07-06 download-from-binary-cache: parallelise fetching of NAR info filesEelco Dolstra1-2/+5
Getting substitute information using the binary cache substituter has non-trivial latency overhead. A package or NixOS system configuration can have hundreds of dependencies, and in the worst case (when the local info cache is empty) we have to do a separate HTTP request for each of these. If the ping time to the server is t, getting N info files will take tN seconds; e.g., with a ping time of 0.1s to nixos.org, sequentially downloading 1000 info files (a typical NixOS config) will take at least 100 seconds. To fix this problem, the binary cache substituter can now perform requests in parallel. This required changing the substituter interface to support a function querySubstitutablePathInfos() that queries multiple paths at the same time, and rewriting queryMissing() to take advantage of parallelism. (Due to local caching, parallelising queryMissing() is sufficient for most use cases, since it's almost always called before building a derivation and thus fills the local info cache.) For example, parallelism speeds up querying all 1056 paths in a particular NixOS system configuration from 116s to 2.6s. It works so well because the eccentricity of the top-level derivation in the dependency graph is only 9. So we only need 10 round-trips (when using an unlimited number of parallel connections) to get everything. Currently we do a maximum of 150 parallel connections to the server. Thus it's important that the binary cache server (e.g. nixos.org) has a high connection limit. Alternatively we could use HTTP pipelining, but WWW::Curl doesn't support it and libcurl has a hard-coded limit of 5 requests per pipeline.
2012-06-27 nix-store -r: do substitutions in parallelEelco Dolstra1-1/+1
I.e. when multiple non-derivation arguments are passed to ‘nix-store -r’ to be substituted, do them in parallel.
2012-05-29 Reserve some disk space for the garbage collectorEelco Dolstra1-1/+1
We can't open a SQLite database if the disk is full. Since this prevents the garbage collector from running when it's most needed, we reserve some dummy space that we can free just before doing a garbage collection. This actually revives some old code from the Berkeley DB days. Fixes #27.
2012-03-26 Make the garbage collector more concurrentEelco Dolstra1-4/+5
Make the garbage collector more concurrent by deleting valid paths outside the region where we're holding the global GC lock. This should greatly reduce the time during which new builds are blocked, since the deletion accounts for the vast majority of the time spent in the GC. To ensure that this is safe, the valid paths are invalidated and renamed to some arbitrary path while we're holding the lock. This ensures that we when we finally delete the path, it's not a (newly) valid or locked path.
2011-12-16 * Sync with the trunk.Eelco Dolstra1-1/+3
2011-12-16 * importPath() -> importPaths(). Because of buffering of the inputEelco Dolstra1-1/+3
stream it's now necessary for the daemon to process the entire sequence of exported paths, rather than letting the client do it.
2011-11-06 Include all outputs of derivations in the closure of explicitly-passed ↵Shea Levy1-0/+2
derivation paths This required adding a queryOutputDerivationNames function in the store API
2011-09-12 * Ouch. A store upgrade could cause a substituter to be triggered,Eelco Dolstra1-1/+1
causing a deadlock.
2011-07-20 * Fix a huuuuge security hole in the Nix daemon. It didn't check thatEelco Dolstra1-0/+5
derivations added to the store by clients have "correct" output paths (meaning that the output paths are computed by hashing the derivation according to a certain algorithm). This means that a malicious user could craft a special .drv file to build *any* desired path in the store with any desired contents (so long as the path doesn't already exist). Then the attacker just needs to wait for a victim to come along and install the compromised path. For instance, if Alice (the attacker) knows that the latest Firefox derivation in Nixpkgs produces the path /nix/store/1a5nyfd4ajxbyy97r1fslhgrv70gj8a7-firefox-5.0.1 then (provided this path doesn't already exist) she can craft a .drv file that creates that path (i.e., has it as one of its outputs), add it to the store using "nix-store --add", and build it with "nix-store -r". So the fake .drv could write a Trojan to the Firefox path. Then, if user Bob (the victim) comes along and does $ nix-env -i firefox $ firefox he executes the Trojan injected by Alice. The fix is to have the Nix daemon verify that derivation outputs are correct (in addValidPath()). This required some refactoring to move the hash computation code to libstore.
2010-12-06 * `nix-store --verify --check-contents': don't hold the global GC lockEelco Dolstra1-0/+3
while checking the contents, since this operation can take a very long time to finish. Also, fill in missing narSize fields in the DB while doing this.
2010-11-17 * Add an operation `nix-store -q --size'.Eelco Dolstra1-0/+1
2010-11-16 * Store the size of a store path in the database (to be precise, theEelco Dolstra1-6/+3
size of the NAR serialisation of the path, i.e., `nix-store --dump PATH'). This is useful for Hydra.
2010-08-31 `nix-store --verify' improvements:Eelco Dolstra1-2/+8
* If a path has disappeared, check its referrers first, and don't try to invalidate paths that have valid referrers. Otherwise we get a foreign key constraint violation. * Read the whole Nix store directory instead of statting each valid path, which is slower. * Acquire the global GC lock.
2010-06-21 * Okay, putting a lock on the temporary directory used by importPath()Eelco Dolstra1-0/+2
doesn't work because the garbage collector doesn't actually look at locks. So r22253 was stupid. Use addTempRoot() instead. Also, locking the temporary directory in exportPath() was silly because it isn't even in the store.
2010-05-04 * Allow unprivileged users to do `nix-store --clear-failed-paths' andEelco Dolstra1-3/+0
`nix-store --query-failed-paths'.
2010-04-26 * Added a command `nix-store --clear-failed-paths <PATHS>' to clearEelco Dolstra1-0/+5
the "failed" status of the given store paths. The special value `*' clears all failed paths.
2010-04-26 * Add an command `nix-store --query-failed-paths' to list the cachedEelco Dolstra1-0/+4
failed paths (when using the `build-cache-failure' option).
2010-02-24 * Refactor the upgrade / database initialisation logic a bit.Eelco Dolstra1-3/+1