about summary refs log tree commit diff
path: root/src/libstore/local-store.hh
AgeCommit message (Collapse)AuthorFilesLines
2016-06-02 Make derivationFromPath work on diverted storesEelco Dolstra1-0/+2
2016-06-02 nix run: Mount the Nix store in a private namespaceEelco Dolstra1-0/+4
This is a convenience command to allow users who are not privileged to create /nix/store to use Nix with regular binary caches. For example, $ NIX_REMOTE="local?state=$HOME/nix/var&real=/$HOME/nix/store" nix run firefox bashInteractive will download Firefox and bash from cache.nixos.org, then start a shell in which $HOME/nix/store is mounted on /nix/store.
2016-06-02 LocalStore: Allow the physical and logical store directories to differEelco Dolstra1-0/+2
This is primarily to subsume the functionality of the copy-from-other-stores substituter. For example, in the NixOS installer, we can now do (assuming we're in the target chroot, and the Nix store of the installation CD is bind-mounted on /tmp/nix): $ nix-build ... --option substituters 'local?state=/tmp/nix/var&real=/tmp/nix/store' However, unlike copy-from-other-stores, this also allows write access to such a store. One application might be fetching substitutes for /nix/store in a situation where the user doesn't have sufficient privileges to create /nix, e.g.: $ NIX_REMOTE="local?state=/home/alice/nix/var&real=/home/alice/nix/store" nix-build ...
2016-06-02 Allow setting the state directory as a store parameterEelco Dolstra1-2/+10
E.g. "local?store=/tmp/store&state=/tmp/var".
2016-06-01 Make the store directory a member variable of StoreEelco Dolstra1-1/+1
2016-05-31 nix-copy-closure / build-remote.pl: Disable signature checkingEelco Dolstra1-1/+1
This restores the Nix 1.11 behaviour.
2016-05-30 Check signatures before downloading the substituteEelco Dolstra1-0/+1
2016-05-30 Re-implement binary cache signature checkingEelco Dolstra1-0/+4
This is now done in LocalStore::addToStore(), rather than in the binary cache substituter (which no longer exists).
2016-05-04 Add a Store::addToStore() variant that accepts a NAREelco Dolstra1-7/+3
As a side effect, this ensures that signatures are propagated when copying paths between stores. Also refactored import/export to make use of this.
2016-05-04 Remove OpenSSL-based signingEelco Dolstra1-4/+3
2016-04-29 Allow parameters in store URIsEelco Dolstra1-0/+2
This is to allow store-specific configuration, e.g. s3://my-cache?compression=bzip2&secret-key=/path/to/key.
2016-04-29 Eliminate the substituter mechanismEelco Dolstra1-27/+0
Substitution is now simply a Store -> Store copy operation, most typically from BinaryCacheStore to LocalStore.
2016-04-19 Move path info caching from BinaryCacheStore to StoreEelco Dolstra1-7/+3
Caching path info is generally useful. For instance, it speeds up "nix path-info -rS /run/current-system" (i.e. showing the closure sizes of all paths in the closure of the current system) from 5.6s to 0.15s. This also eliminates some APIs like Store::queryDeriver() and Store::queryReferences().
2016-04-08 Remove failed build cachingEelco Dolstra1-17/+2
This feature was implemented for Hydra, but Hydra no longer uses it.
2016-04-08 Make LocalStore thread-safeEelco Dolstra1-66/+52
Necessary for multi-threaded commands like "nix verify-paths".
2016-04-07 Sign locally-built pathsEelco Dolstra1-0/+6
Locally-built paths are now signed automatically using the secret keys specified by the ‘secret-key-files’ option.
2016-04-05 Add "nix copy-sigs" commandEelco Dolstra1-0/+2
This imports signatures from one store into another. E.g. $ nix copy-sigs -r /run/current-system -s https://cache.nixos.org/ imported 595 signatures
2016-03-30 LocalStore: Keep track of ultimately trusted pathsEelco Dolstra1-2/+2
These are content-addressed paths or outputs of locally performed builds. They are trusted even if they don't have signatures, so "nix verify-paths" won't complain about them.
2016-03-30 Improve the SQLite wrapper APIEelco Dolstra1-3/+4
In particular, this eliminates a bunch of boilerplate code.
2016-03-30 Factour out SQLite handlingEelco Dolstra1-33/+2
2016-02-26 importPaths(): Optionally add NARs to binary cache accessorEelco Dolstra1-1/+2
This enables an optimisation in hydra-queue-runner, preventing a download of a NAR it just uploaded to the cache when reading files like hydra-build-products.
2016-02-25 Add NAR / Store accessor abstractionEelco Dolstra1-4/+1
This is primary to allow hydra-queue-runner to extract files like "nix-support/hydra-build-products" from NARs in binary caches.
2016-02-24 Eliminate reserveSpace flagEelco Dolstra1-1/+3
2016-02-15 Expose the export magic value and move LocalStore::queryReferences to StoreEelco Dolstra1-2/+0
2016-02-04 StoreAPI -> StoreEelco Dolstra1-1/+1
Calling a class an API is a bit redundant...
2016-02-04 Eliminate the "store" global variableEelco Dolstra1-0/+4
Also, move a few free-standing functions into StoreAPI and Derivation. Also, introduce a non-nullable smart pointer, ref<T>, which is just a wrapper around std::shared_ptr ensuring that the pointer is never null. (For reference-counted values, this is better than passing a "T&", because the latter doesn't maintain the refcount. Usually, the caller will have a shared_ptr keeping the value alive, but that's not always the case, e.g., when passing a reference to a std::thread via std::bind.)
2016-01-31 Use the daemon when we don't have write access to the Nix databaseEelco Dolstra1-0/+6
2015-09-18 Shut up clang warningsEelco Dolstra1-29/+29
2015-07-17 Allow remote builds without sending the derivation closureEelco Dolstra1-0/+3
Previously, to build a derivation remotely, we had to copy the entire closure of the .drv file to the remote machine, even though we only need the top-level derivation. This is very wasteful: the closure can contain thousands of store paths, and in some Hydra use cases, include source paths that are very large (e.g. Git/Mercurial checkouts). So now there is a new operation, StoreAPI::buildDerivation(), that performs a build from an in-memory representation of a derivation (BasicDerivation) rather than from a on-disk .drv file. The only files that need to be in the Nix store are the sources of the derivation (drv.inputSrcs), and the needed output paths of the dependencies (as described by drv.inputDrvs). "nix-store --serve" exposes this interface. Note that this is a privileged operation, because you can construct a derivation that builds any store path whatsoever. Fixing this will require changing the hashing scheme (i.e., the output paths should be computed from the other fields in BasicDerivation, allowing them to be verified without access to other derivations). However, this would be quite nice because it would allow .drv-free building (e.g. "nix-env -i" wouldn't have to write any .drv files to disk). Fixes #173.
2015-03-25 addToStore(): Take explicit name argumentEelco Dolstra1-1/+1
2014-11-19 Clean up temp roots in a more C++ wayEelco Dolstra1-0/+4
2014-09-01 Add an 'optimiseStore' remote procedure call.Ludovic Courtès1-0/+3
2014-05-26 Use std::unordered_setEelco Dolstra1-10/+2
2014-05-15 nix-store --optimise: Remove bogus statisticsEelco Dolstra1-4/+2
2014-05-15 Shortcut store files before lstatWout Mertens1-0/+1
readdir() already returns the inode numbers, so we don't need to call lstat to know if a file was already linked or not.
2014-05-14 Use the inodes given by readdir directlyWout Mertens1-4/+4
2014-05-13 Preload linked hashes to speed up lookupsWout Mertens1-1/+13
By preloading all inodes in the /nix/store/.links directory, we can quickly determine of a hardlinked file was already linked to the hashed links. This is tolerant of removing the .links directory, it will simply recalculate all hashes in the store.
2014-02-18 Add a flag ‘--check’ to verify build determinismEelco Dolstra1-1/+1
The flag ‘--check’ to ‘nix-store -r’ or ‘nix-build’ will cause Nix to redo the build of a derivation whose output paths are already valid. If the new output differs from the original output, an error is printed. This makes it easier to test if a build is deterministic. (Obviously this cannot catch all sources of non-determinism, but it catches the most common one, namely the current time.) For example: $ nix-build '<nixpkgs>' -A patchelf ... $ nix-build '<nixpkgs>' -A patchelf --check error: derivation `/nix/store/1ipvxsdnbhl1rw6siz6x92s7sc8nwkkb-patchelf-0.6' may not be deterministic: hash mismatch in output `/nix/store/4pc1dmw5xkwmc6q3gdc9i5nbjl4dkjpp-patchelf-0.6.drv' The --check build fails if not all outputs are valid. Thus the first call to nix-build is necessary to ensure that all outputs are valid. The current outputs are left untouched: the new outputs are either put in a chroot or diverted to a different location in the store using hash rewriting.
2013-11-14 Remove nix-setuid-helperEelco Dolstra1-13/+1
AFAIK, nobody uses it, it's not maintained, and it has no tests.
2013-10-16 Retry all SQLite operationsEelco Dolstra1-0/+4
To deal with SQLITE_PROTOCOL, we also need to retry read-only operations.
2013-08-26 Fix typos, especially those that end up in the Nix manualIvan Kozik1-1/+1
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra1-0/+2
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-06-13 Allow hard links between the outputs of a derivationEelco Dolstra1-0/+5
2013-06-07 Process stderr from substituters while doing have/info queriesEelco Dolstra1-0/+1
2013-06-07 Buffer reads from the substituterEelco Dolstra1-0/+5
This greatly reduces the number of system calls.
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra1-2/+2
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra1-2/+2
2013-02-27 Refactoring: Split off the non-recursive canonicalisePathMetaData()Eelco Dolstra1-1/+1
Also, change the file mode before changing the owner. This prevents a slight time window in which a setuid binary would be setuid root.
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra1-2/+2
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.
2013-01-03 Clear any immutable bits in the Nix storeEelco Dolstra1-2/+3
Doing this once makes subsequent operations like garbage collecting more efficient since we don't have to call makeMutable() first.