about summary refs log tree commit diff
path: root/src/libstore
AgeCommit message (Collapse)AuthorFilesLines
2017-11-20 signed-binary-caches -> require-sigsEelco Dolstra2-1/+6
Unlike signed-binary-caches (which could only be '*' or ''), require-sigs is a proper Boolean option. The default is true.
2017-11-20 binary-cache-public-keys -> trusted-public-keysEelco Dolstra2-4/+5
The name had become a misnomer since it's not only for substitution from binary caches, but when adding/copying any (non-content-addressed) path to a store.
2017-11-20 nix copy: Abbreviate "daemon"Eelco Dolstra1-2/+2
2017-11-15 Add a "profile" option to S3BinaryCacheStoreEelco Dolstra3-5/+14
This allows specifying the AWS configuration profile to use. E.g. nix copy --from s3://my-cache?profile=aws-dev-account /nix/store/cf3isrlqavvd5w7rpky1fa8j9lcnlggm-...
2017-11-14 nix sign-paths: Support binary cachesEelco Dolstra2-15/+37
2017-11-14 nix ls-{nar,store}: Don't abort on missing filesEelco Dolstra1-1/+1
2017-11-14 nix ls-{nar,store} --json: Respect -REelco Dolstra3-5/+12
2017-11-14 nix ls-{store,nar}: Add --json flagEelco Dolstra3-34/+38
2017-11-08 Remove extraneous commentEelco Dolstra1-3/+0
2017-11-08 Merge pull request #1650 from copumpkin/darwin-sandbox-unix-socketEelco Dolstra1-1/+8
Always allow builds to use unix domain sockets in Darwin sandbox
2017-11-06 Merge pull request #1632 from AmineChikhaoui/sigint-copyEelco Dolstra1-1/+9
run query paths in parallel during nix copy and handle SIGINT
2017-11-03 Merge pull request #1651 from LnL7/darwin-sandbox-getpwuidEelco Dolstra1-0/+3
Allow getpwuid in the darwin sandbox
2017-11-03 Allow getpwuid in the darwin sandbox.Daiderd Jordan1-0/+3
2017-11-03 Don't freak out if we get a 403 from S3Daniel Peebles1-2/+2
As far as we're concerned, not being able to access a file just means the file is missing. Plus, AWS explicitly goes out of its way to return a 403 if the file is missing and the requester doesn't have permission to list the bucket. Also getting rid of an old hack that Eelco said was only relevant to an older AWS SDK.
2017-11-01 Add fetchMercurial primopEelco Dolstra1-1/+1
E.g. $ nix eval '(fetchMercurial https://www.mercurial-scm.org/repo/hello)' { branch = "default"; outPath = "/nix/store/alvb9y1kfz42bjishqmyy3pphnrh1pfa-source"; rev = "82e55d328c8ca4ee16520036c0aaace03a5beb65"; revCount = 1; shortRev = "82e55d328c8c"; } $ nix eval '(fetchMercurial { url = https://www.mercurial-scm.org/repo/hello; rev = "0a04b987be5ae354b710cefeba0e2d9de7ad41a9"; })' { branch = "default"; outPath = "/nix/store/alvb9y1kfz42bjishqmyy3pphnrh1pfa-source"; rev = "0a04b987be5ae354b710cefeba0e2d9de7ad41a9"; revCount = 0; shortRev = "0a04b987be5a"; } $ nix eval '(fetchMercurial /tmp/unclean-hg-tree)' { branch = "default"; outPath = "/nix/store/cm750cdw1x8wfpm3jq7mz09r30l9r024-source"; rev = "0000000000000000000000000000000000000000"; revCount = 0; shortRev = "000000000000"; }
2017-10-31 Always allow builds to use unix domain sockets in Darwin sandboxDan Peebles1-1/+8
2017-10-30 Merge pull request #1646 from copumpkin/optional-sandbox-local-networkEelco Dolstra2-5/+33
Allow optional localhost network access to sandboxed derivations
2017-10-30 Allow optional localhost network access to sandboxed derivationsDan Peebles2-5/+33
This will allow bind and connect to 127.0.0.1, which can reduce purity/ security (if you're running a vulnerable service on localhost) but is also needed for a ton of test suites, so I'm leaving it turned off by default but allowing certain derivations to turn it on as needed. It also allows DNS resolution of arbitrary hostnames but I haven't found a way to avoid that. In principle I'd just want to allow resolving localhost but that doesn't seem to be possible. I don't think this belongs under `build-use-sandbox = relaxed` because we want it on Hydra and I don't think it's the end of the world.
2017-10-30 Add option allowed-urisEelco Dolstra1-1/+3
This allows network access in restricted eval mode.
2017-10-30 enable-http2 -> http2Eelco Dolstra1-1/+1
2017-10-30 fetchurl/fetchTarball: Respect name changesEelco Dolstra1-1/+3
The computation of urlHash didn't take the name into account, so subsequent fetchurl calls with the same URL but a different name would resolve to the same cached store path.
2017-10-25 respect SIGINT in nix copy during the paths queries #1629AmineChikhaoui1-0/+1
2017-10-25 Merge branch 'master' of github.com:NixOS/nix into sigint-copyAmineChikhaoui1-2/+2
2017-10-25 Fix building on clangEelco Dolstra1-2/+2
https://hydra.nixos.org/build/62945761
2017-10-25 attempt to fix #1630: make the queries of store paths run in parallel using ↵AmineChikhaoui1-1/+8
a thread pool
2017-10-25 exportReferencesGraph: Allow exporting a list of store pathsEelco Dolstra1-14/+22
2017-10-25 Fix exportReferencesGraph in the structured attrs caseEelco Dolstra1-69/+68
2017-10-25 Pass lists/attrsets to bash as (associative) arraysEelco Dolstra1-3/+93
2017-10-24 Allow shorter syntax for chroot storesEelco Dolstra2-4/+12
You can now say '--store /tmp/nix' instead of '--store local?root=/tmp/nix'.
2017-10-24 More progress indicator improvementsEelco Dolstra1-13/+9
In particular, don't show superfluous "fetching path" and "building path(s)" messages, and show the current round (with --repeat).
2017-10-24 More progress indicator improvementsEelco Dolstra2-6/+14
Fixes #1599.
2017-10-24 Progress indicator: Show on what machine we're buildingEelco Dolstra1-3/+7
E.g. $ nix build nixpkgs.hello --builders 'root@wendy' [1/0/1 built] building hello-2.10 on ssh://root@wendy: checking for minix/config.h... no
2017-10-24 Handle log messages from build-remoteEelco Dolstra1-114/+22
This makes the progress indicator show statuses like "connecting to 'root@machine'".
2017-10-24 nix: Respect -I, --arg, --argstrEelco Dolstra1-3/+3
Also, random cleanup to argument handling.
2017-10-24 Remove the remote-builds optionEelco Dolstra3-6/+7
This is superfluous since you can now just set "builders" to empty, e.g. "--builders ''".
2017-10-24 Remove the builder-files optionEelco Dolstra3-16/+21
You can now include files via the "builders" option, using the syntax "@<filename>". Having only one option makes it easier to override builders completely. For backward compatibility, the default is "@/etc/nix/machines", or "@<filename>" for each file name in NIX_REMOTE_SYSTEMS.
2017-10-23 Pass all settings to build-remoteEelco Dolstra1-10/+18
This ensures that command line flags such as --builders get passed correctly.
2017-10-23 Turn $NIX_REMOTE into a configuration optionEelco Dolstra2-2/+7
2017-10-20 Merge pull request #1616 from copumpkin/separate-darwin-sandboxEelco Dolstra2-13/+11
Shift Darwin sandbox to separate installed files
2017-10-19 Revert "Let's not populate the NAR cache from hydra-queue-runner for now"Eelco Dolstra1-2/+2
This reverts commit 908590dc6cfcca3a98755b194d93b2da39aee95c. Since hydra-server can have a different store URI from hydra-queue-runner now, we don't really need this.
2017-10-18 Let's not populate the NAR cache from hydra-queue-runner for nowEelco Dolstra1-2/+2
2017-10-18 Errors writing to the NAR cache should not be fatalEelco Dolstra1-1/+5
2017-10-18 Suppress "copying 0 paths" messageEelco Dolstra1-0/+2
2017-10-17 Shift Darwin sandbox to separate installed filesDan Peebles2-13/+11
This makes it slightly more manageable to see at a glance what in a build's sandbox profile is unique to the build and what is standard. Also a first step to factoring more of our Darwin logic into scheme functions that will allow us a bit more flexibility. And of course less of that nasty codegen in C++! 😀
2017-10-17 BinaryCacheStore::addToStore(): Add NARs to the local cacheEelco Dolstra3-10/+26
2017-10-17 BinaryCacheStore: Support local caching of NARsEelco Dolstra4-5/+25
This speeds up commands like "nix cat-store". For example: $ time nix cat-store --store https://cache.nixos.org?local-nar-cache=/tmp/nar-cache /nix/store/i60yncmq6w9dyv37zd2k454g0fkl3arl-systemd-234/etc/udev/udev.conf real 0m4.336s $ time nix cat-store --store https://cache.nixos.org?local-nar-cache=/tmp/nar-cache /nix/store/i60yncmq6w9dyv37zd2k454g0fkl3arl-systemd-234/etc/udev/udev.conf real 0m0.045s The primary motivation is to allow hydra-server to serve files from S3 binary caches. Previously Hydra had a hack to do "nix-store -r <path>", but that fetches the entire closure so is prohibitively expensive. There is no garbage collection of the NAR cache yet. Also, the entire NAR is read when accessing a single member file. We could generate the NAR listing to provide random access. Note: the NAR cache is indexed by the store path hash, not the content hash, so NAR caches should not be shared between binary caches, unless you're sure that all your builds are binary-reproducible.
2017-10-17 Remove BinaryCacheStoreAccessorEelco Dolstra2-61/+4
Probably as a result of a bad merge in 4b8f1b0ec066a5b994747b1afd050f5f62d857f6, we had both a BinaryCacheStoreAccessor and a RemoteFSAccessor. BinaryCacheStore::getFSAccessor() returned the latter, but BinaryCacheStore::addToStore() checked for the former. This probably caused hydra-queue-runner to download paths that it just uploaded.
2017-10-12 Add option to disable the seccomp filterEelco Dolstra2-0/+8
I needed this to test ACL/xattr removal in canonicalisePathMetaData(). Might also be useful if you need to build old Nixpkgs that doesn't have the required patches to remove setuid/setgid creation.
2017-10-02 Reverse retry logic to retry in all but a few casesDan Peebles1-20/+37
It was getting too much like whac-a-mole listing all the retriable error conditions, so we now retry by default and list the cases where retrying is almost certainly hopeless.
2017-09-18 Don't remove Content-Encoding in fetchurl / nix-prefetch-urlEelco Dolstra3-1/+4
Fixes #1568.