about summary refs log tree commit diff
path: root/src/libstore
AgeCommit message (Collapse)AuthorFilesLines
2013-06-13 Fix a security bug in hash rewritingEelco Dolstra1-0/+6
Before calling dumpPath(), we have to make sure the files are owned by the build user. Otherwise, the build could contain a hard link to (say) /etc/shadow, which would then be read by the daemon and rewritten as a world-readable file. This only affects systems that don't have hard link restrictions enabled.
2013-06-13 Fix assertion failure in canonicalisePathMetaData() after hash rewritingEelco Dolstra1-2/+9
The assertion in canonicalisePathMetaData() failed because the ownership of the path already changed due to the hash rewriting. The solution is not to check the ownership of rewritten paths. Issue #122.
2013-06-13 computeFSClosure: Only process the missing/corrupt pathsEelco Dolstra1-11/+17
Issue #122.
2013-06-13 In repair mode, update the hash of rebuilt pathsEelco Dolstra2-4/+5
Otherwise subsequent invocations of "--repair" will keep rebuilding the path. This only happens if the path content differs between builds (e.g. due to timestamps).
2013-06-07 Remove obsolete EOF checksEelco Dolstra1-26/+18
2013-06-07 Process stderr from substituters while doing have/info queriesEelco Dolstra2-9/+51
2013-06-07 Buffer reads from the substituterEelco Dolstra2-10/+27
This greatly reduces the number of system calls.
2013-05-23 nix-store --export: Export paths in topologically sorted orderEelco Dolstra1-1/+1
Fixes #118.
2013-05-10 In trace messages, don't print the output pathEelco Dolstra1-19/+15
This doesn't work if there is no output named "out". Hydra didn't use it anyway.
2013-05-09 Communicate build timeouts to HydraEelco Dolstra1-7/+11
2013-05-09 build-remote.pl: Enforce timeouts locallyEelco Dolstra1-3/+1
Don't pass --timeout / --max-silent-time to the remote builder. Instead, let the local Nix process terminate the build if it exceeds a timeout. The remote builder will be killed as a side-effect. This gives better error reporting (since the timeout message from the remote side wasn't properly propagated) and handles non-Nix problems like SSH hangs.
2013-05-01 Don't let stderr writes in substituters cause a deadlockEelco Dolstra1-0/+4
2013-04-26 addAdditionalRoots(): Check each path only onceEelco Dolstra1-2/+2
2013-04-23 Fix --timeoutEelco Dolstra1-38/+25
I'm not sure if it has ever worked correctly. The line "lastWait = after;" seems to mean that the timer was reset every time a build produced log output. Note that the timeout is now per build, as documented ("the maximum number of seconds that a builder can run").
2013-04-23 Nix daemon: respect build timeout from the clientEelco Dolstra1-1/+1
2013-04-04 Complain if /homeless-shelter existsEelco Dolstra1-1/+5
2013-03-25 makeStoreWritable: Ask forgiveness, not permissionShea Levy1-2/+2
It is surprisingly impossible to check if a mountpoint is a bind mount on Linux, and in my previous commit I forgot to check if /nix/store was even a mountpoint at all. statvfs.f_flag is not populated with MS_BIND (and even if it were, my check was wrong in the previous commit). Luckily, the semantics of mount with MS_REMOUNT | MS_BIND make both checks unnecessary: if /nix/store is not a mountpoint, then mount will fail with EINVAL, and if /nix/store is not a bind-mount, then it will not be made writable. Thus, if /nix/store is not a mountpoint, we fail immediately (since we don't know how to make it writable), and if /nix/store IS a mountpoint but not a bind-mount, we fail at first write (see below for why we can't check and fail immediately). Note that, due to what is IMO buggy behavior in Linux, calling mount with MS_REMOUNT | MS_BIND on a non-bind readonly mount makes the mountpoint appear writable in two places: In the sixth (but not the 10th!) column of mountinfo, and in the f_flags member of struct statfs. All other syscalls behave as if the mount point were still readonly (at least for Linux 3.9-rc1, but I don't think this has changed recently or is expected to soon). My preferred semantics would be for MS_REMOUNT | MS_BIND to fail on a non-bind mount, as it doesn't make sense to remount a non bind-mount as a bind mount.
2013-03-25 makeStoreWritable: Use statvfs instead of /proc/self/mountinfo to find out ↵Shea Levy1-21/+12
if /nix/store is a read-only bind mount /nix/store could be a read-only bind mount even if it is / in its own filesystem, so checking the 4th field in mountinfo is insufficient. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra9-55/+112
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra9-112/+55
2013-02-28 Handle systems without lutimes() or lchown()Eelco Dolstra1-1/+1
2013-02-28 Handle symlinks properlyEelco Dolstra1-1/+1
Now it's really brown paper bag time...
2013-02-27 Handle hard links to other files in the outputEelco Dolstra1-6/+26
2013-02-27 Refactoring: Split off the non-recursive canonicalisePathMetaData()Eelco Dolstra3-37/+52
Also, change the file mode before changing the owner. This prevents a slight time window in which a setuid binary would be setuid root.
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra4-12/+15
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.
2013-02-19 Add `Settings::nixDaemonSocketFile'.Ludovic Courtès4-9/+13
2013-02-19 Enable chroot support on old glibc versions.Ludovic Courtès1-0/+6
2013-01-23 Only warn about SQLite being busy onceEelco Dolstra1-1/+5
No need to get annoying.
2013-01-17 Store build logs in /nix/var/log/nix/drvs/<XX>Eelco Dolstra1-3/+5
...where <XX> is the first two characters of the derivation. Otherwise /nix/var/log/nix/drvs may become so large that we run into all sorts of weird filesystem limits/inefficiences. For instance, ext3/ext4 filesystems will barf with "ext4_dx_add_entry:1551: Directory index full!" once you hit a few million files.
2013-01-05 Delete a left-over trash directory before doing a GCEelco Dolstra1-1/+4
2013-01-04 Fix "0 store paths deleted" messageEelco Dolstra1-0/+2
2013-01-03 Open the database after removing immutable bitsEelco Dolstra1-1/+1
2013-01-03 Clear any immutable bits in the Nix storeEelco Dolstra5-22/+64
Doing this once makes subsequent operations like garbage collecting more efficient since we don't have to call makeMutable() first.
2013-01-02 If a substitute closure is incomplete, build dependencies, then retry the ↵Eelco Dolstra1-7/+28
substituter Issue #77.
2013-01-02 Automatically fall back if the references of a substitute are not substitutableEelco Dolstra1-1/+1
Fixes #77.
2012-12-29 nix-build: Support talking to old daemonsEelco Dolstra1-1/+10
Fixes #76.
2012-12-29 Allow mounting a path in a different location in the chrootEelco Dolstra3-10/+17
Fixes #24.
2012-12-20 nix-store -q --roots: Respect the gc-keep-outputs/gc-keep-derivations settingsEelco Dolstra7-24/+59
So if a path is not garbage solely because it's reachable from a root due to the gc-keep-outputs or gc-keep-derivations settings, ‘nix-store -q --roots’ now shows that root.
2012-12-20 Yet another rewrite of the garbage collectorEelco Dolstra2-131/+138
But this time it's *obviously* correct! No more segfaults due to infinite recursions for sure, etc. Also, move directories to /nix/store/trash instead of renaming them to /nix/store/bla-gc-<pid>. Then we can just delete /nix/store/trash at the end.
2012-12-19 If gc-keep-derivations is set, only keep the actual deriverEelco Dolstra1-1/+1
This prevents zillions of derivations from being kept, and fixes an infinite recursion in the garbage collector (due to an obscure cycle that can occur with fixed-output derivations).
2012-12-19 Kill the build hook rather than shutting it down cleanlyEelco Dolstra1-7/+1
Waiting for the hook to shut down cleanly sometimes seems to lead to hangs.
2012-12-18 Revert brain fartEelco Dolstra1-2/+0
This reverts commit cc511fd65b7b6de9e87e72fb4bed16fc7efeb8b7.
2012-12-18 Check for potential infinite select() loops when buildingEelco Dolstra1-0/+2
2012-12-11 On SQLITE_BUSY, wait a random amount of timeEelco Dolstra1-1/+1
If all contending processes wait a fixed amount of time (100 ms), there is a good probability that they'll just collide again.
2012-11-27 Add builtin constants ‘langVersion’ and ‘nixVersion’Eelco Dolstra3-0/+7
The integer constant ‘langVersion’ denotes the current language version. It gets increased every time a language feature is added/changed/removed. It's currently 1. The string constant ‘nixVersion’ contains the current Nix version, e.g. "1.2pre2980_9de6bc5".
2012-11-26 queryMissing(): Handle partially valid derivationsEelco Dolstra1-5/+6
2012-11-26 Only substitute wanted outputs of a derivationEelco Dolstra4-21/+77
If a derivation has multiple outputs, then we only want to download those outputs that are actuallty needed. So if we do "nix-build -A openssl.man", then only the "man" output should be downloaded. Likewise if another package depends on ${openssl.man}. The tricky part is that different derivations can depend on different outputs of a given derivation, so we may need to restart the corresponding derivation goal if that happens.
2012-11-26 Make "nix-build -A <derivation>.<output>" do the right thingEelco Dolstra4-7/+38
For example, given a derivation with outputs "out", "man" and "bin": $ nix-build -A pkg produces ./result pointing to the "out" output; $ nix-build -A pkg.man produces ./result-man pointing to the "man" output; $ nix-build -A pkg.all produces ./result, ./result-man and ./result-bin; $ nix-build -A pkg.all -A pkg2 produces ./result, ./result-man, ./result-bin and ./result-2.
2012-11-15 Disable use of vfork()Eelco Dolstra1-1/+1
vfork() is just too weird. For instance, in this build: http://hydra.nixos.org/build/3330487 the value fromHook.writeSide becomes corrupted in the parent, even though the child only reads from it. At -O0 the problem goes away. Probably the child is overriding some spilled temporary variable. If I get bored I may implement using posix_spawn() instead.
2012-11-15 Don't use std::cerr in a few placesEelco Dolstra2-11/+9
Slightly scared of using std::cerr in a vforked process...