about summary refs log tree commit diff
path: root/src/libstore
AgeCommit message (Collapse)AuthorFilesLines
2013-10-22 For auto roots, show the intermediate linkEelco Dolstra1-1/+1
I.e. "nix-store -q --roots" will now show (for example) /home/eelco/Dev/nixpkgs/result rather than /nix/var/nix/gcroots/auto/53222qsppi12s2hkap8dm2lg8xhhyk6v
2013-10-16 Retry all SQLite operationsEelco Dolstra2-128/+169
To deal with SQLITE_PROTOCOL, we also need to retry read-only operations.
2013-10-16 Fix a race in registerFailedPath()Eelco Dolstra1-2/+1
Registering the path as failed can fail if another process does the same thing after the call to hasPathFailed(). This is extremely unlikely though.
2013-10-16 Convenience macros for retrying a SQLite transactionEelco Dolstra1-46/+42
2013-10-16 Don't wrap read-only queries in a transactionEelco Dolstra1-6/+0
There is no risk of getting an inconsistent result here: if the ID returned by queryValidPathId() is deleted from the database concurrently, subsequent queries involving that ID will simply fail (since IDs are never reused).
2013-10-16 Print a distinct warning for SQLITE_PROTOCOLEelco Dolstra1-4/+8
2013-10-16 Treat SQLITE_PROTOCOL as SQLITE_BUSYEelco Dolstra1-1/+1
In the Hydra build farm we fairly regularly get SQLITE_PROTOCOL errors (e.g., "querying path in database: locking protocol"). The docs for this error code say that it "is returned if some other process is messing with file locks and has violated the file locking protocol that SQLite uses on its rollback journal files." However, the SQLite source code reveals that this error can also occur under high load: if( cnt>5 ){ int nDelay = 1; /* Pause time in microseconds */ if( cnt>100 ){ VVA_ONLY( pWal->lockError = 1; ) return SQLITE_PROTOCOL; } if( cnt>=10 ) nDelay = (cnt-9)*238; /* Max delay 21ms. Total delay 996ms */ sqlite3OsSleep(pWal->pVfs, nDelay); } i.e. if certain locks cannot be not acquired, SQLite will retry a number of times before giving up and returing SQLITE_PROTOCOL. The comments say: Circumstances that cause a RETRY should only last for the briefest instances of time. No I/O or other system calls are done while the locks are held, so the locks should not be held for very long. But if we are unlucky, another process that is holding a lock might get paged out or take a page-fault that is time-consuming to resolve, during the few nanoseconds that it is holding the lock. In that case, it might take longer than normal for the lock to free. ... The total delay time before giving up is less than 1 second. On a heavily loaded machine like lucifer (the main Hydra server), which often has dozens of processes waiting for I/O, it seems to me that a page fault could easily take more than a second to resolve. So, let's treat SQLITE_PROTOCOL as SQLITE_BUSY and retry the transaction. Issue NixOS/hydra#14.
2013-09-06 Don't apply the CPU affinity hack to nix-shell (and other Perl programs)Eelco Dolstra3-1/+5
As discovered by Todd Veldhuizen, the shell started by nix-shell has its affinity set to a single CPU. This is because nix-shell connects to the Nix daemon, which causes the affinity hack to be applied. So we turn this off for Perl programs.
2013-09-02 Only show trace messages when tracing is enabledEelco Dolstra1-4/+3
2013-09-02 Add an option to limit the log output of buildersEelco Dolstra3-0/+19
This is mostly useful for Hydra to deal with builders that get stuck in an infinite loop writing data to stdout/stderr.
2013-08-26 Fix typos, especially those that end up in the Nix manualIvan Kozik2-2/+2
2013-08-26 Fix personality switching from x86_64 to i686Gergely Risko1-1/+6
On Linux, Nix can build i686 packages even on x86_64 systems. It's not enough to recognize this situation by settings.thisSystem, we also have to consult uname(). E.g. we can be running on a i686 Debian with an amd64 kernel. In that situation settings.thisSystem is i686-linux, but we still need to change personality to i686 to make builds consistent.
2013-08-07 Run the daemon worker on the same CPU as the clientEelco Dolstra4-2/+19
On a system with multiple CPUs, running Nix operations through the daemon is significantly slower than "direct" mode: $ NIX_REMOTE= nix-instantiate '<nixos>' -A system real 0m0.974s user 0m0.875s sys 0m0.088s $ NIX_REMOTE=daemon nix-instantiate '<nixos>' -A system real 0m2.118s user 0m1.463s sys 0m0.218s The main reason seems to be that the client and the worker get moved to a different CPU after every call to the worker. This patch adds a hack to lock them to the same CPU. With this, the overhead of going through the daemon is very small: $ NIX_REMOTE=daemon nix-instantiate '<nixos>' -A system real 0m1.074s user 0m0.809s sys 0m0.098s
2013-07-18 Revert "build-remote.pl: Enforce timeouts locally"Eelco Dolstra1-1/+3
This reverts commit 69b8f9980f39c14a59365a188b300a34d625a2cd. The timeout should be enforced remotely. Otherwise, if the garbage collector is running either locally or remotely, if will block the build or closure copying for some time. If the garbage collector takes too long, the build may time out, which is not what we want. Also, on heavily loaded systems, copying large paths to and from the remote machine can take a long time, also potentially resulting in a timeout.
2013-07-15 Allow bind-mounting regular files into the chrootShea Levy1-1/+9
mount(2) with MS_BIND allows mounting a regular file on top of a regular file, so there's no reason to only bind directories. This allows finer control over just which files are and aren't included in the chroot without having to build symlink trees or the like. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-07-12 Garbage collector: Don't follow symlinks arbitrarilyEelco Dolstra2-45/+40
Only indirect roots (symlinks to symlinks to the Nix store) are now supported.
2013-06-20 Don't set $preferLocalBuild and $requiredSystemFeatures in buildersEelco Dolstra2-8/+15
With C++ std::map, doing a comparison like ‘map["foo"] == ...’ has the side-effect of adding a mapping from "foo" to the empty string if "foo" doesn't exist in the map. So we ended up setting some environment variables by accident.
2013-06-20 Don't substitute derivations that have preferLocalBuild setEelco Dolstra3-7/+15
In particular this means that "trivial" derivations such as writeText are not substituted, reducing the number of GET requests to the binary cache by about 200 on a typical NixOS configuration.
2013-06-20 Increase SQLite's auto-checkpoint intervalEelco Dolstra1-2/+2
Common operations like instantiating a NixOS system config no longer fitted in 8192 pages, leading to more fsyncs. So increase this limit.
2013-06-20 Disable the copy-from-other-stores substituterEelco Dolstra1-0/+2
This substituter basically cannot work reliably since we switched to SQLite, since SQLite databases may need write access to open them even just for reading (and in WAL mode they always do).
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra2-2/+27
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-06-13 Allow hard links between the outputs of a derivationEelco Dolstra3-9/+20
2013-06-13 Fix a security bug in hash rewritingEelco Dolstra1-0/+6
Before calling dumpPath(), we have to make sure the files are owned by the build user. Otherwise, the build could contain a hard link to (say) /etc/shadow, which would then be read by the daemon and rewritten as a world-readable file. This only affects systems that don't have hard link restrictions enabled.
2013-06-13 Fix assertion failure in canonicalisePathMetaData() after hash rewritingEelco Dolstra1-2/+9
The assertion in canonicalisePathMetaData() failed because the ownership of the path already changed due to the hash rewriting. The solution is not to check the ownership of rewritten paths. Issue #122.
2013-06-13 computeFSClosure: Only process the missing/corrupt pathsEelco Dolstra1-11/+17
Issue #122.
2013-06-13 In repair mode, update the hash of rebuilt pathsEelco Dolstra2-4/+5
Otherwise subsequent invocations of "--repair" will keep rebuilding the path. This only happens if the path content differs between builds (e.g. due to timestamps).
2013-06-07 Remove obsolete EOF checksEelco Dolstra1-26/+18
2013-06-07 Process stderr from substituters while doing have/info queriesEelco Dolstra2-9/+51
2013-06-07 Buffer reads from the substituterEelco Dolstra2-10/+27
This greatly reduces the number of system calls.
2013-05-23 nix-store --export: Export paths in topologically sorted orderEelco Dolstra1-1/+1
Fixes #118.
2013-05-10 In trace messages, don't print the output pathEelco Dolstra1-19/+15
This doesn't work if there is no output named "out". Hydra didn't use it anyway.
2013-05-09 Communicate build timeouts to HydraEelco Dolstra1-7/+11
2013-05-09 build-remote.pl: Enforce timeouts locallyEelco Dolstra1-3/+1
Don't pass --timeout / --max-silent-time to the remote builder. Instead, let the local Nix process terminate the build if it exceeds a timeout. The remote builder will be killed as a side-effect. This gives better error reporting (since the timeout message from the remote side wasn't properly propagated) and handles non-Nix problems like SSH hangs.
2013-05-01 Don't let stderr writes in substituters cause a deadlockEelco Dolstra1-0/+4
2013-04-26 addAdditionalRoots(): Check each path only onceEelco Dolstra1-2/+2
2013-04-23 Fix --timeoutEelco Dolstra1-38/+25
I'm not sure if it has ever worked correctly. The line "lastWait = after;" seems to mean that the timer was reset every time a build produced log output. Note that the timeout is now per build, as documented ("the maximum number of seconds that a builder can run").
2013-04-23 Nix daemon: respect build timeout from the clientEelco Dolstra1-1/+1
2013-04-04 Complain if /homeless-shelter existsEelco Dolstra1-1/+5
2013-03-25 makeStoreWritable: Ask forgiveness, not permissionShea Levy1-2/+2
It is surprisingly impossible to check if a mountpoint is a bind mount on Linux, and in my previous commit I forgot to check if /nix/store was even a mountpoint at all. statvfs.f_flag is not populated with MS_BIND (and even if it were, my check was wrong in the previous commit). Luckily, the semantics of mount with MS_REMOUNT | MS_BIND make both checks unnecessary: if /nix/store is not a mountpoint, then mount will fail with EINVAL, and if /nix/store is not a bind-mount, then it will not be made writable. Thus, if /nix/store is not a mountpoint, we fail immediately (since we don't know how to make it writable), and if /nix/store IS a mountpoint but not a bind-mount, we fail at first write (see below for why we can't check and fail immediately). Note that, due to what is IMO buggy behavior in Linux, calling mount with MS_REMOUNT | MS_BIND on a non-bind readonly mount makes the mountpoint appear writable in two places: In the sixth (but not the 10th!) column of mountinfo, and in the f_flags member of struct statfs. All other syscalls behave as if the mount point were still readonly (at least for Linux 3.9-rc1, but I don't think this has changed recently or is expected to soon). My preferred semantics would be for MS_REMOUNT | MS_BIND to fail on a non-bind mount, as it doesn't make sense to remount a non bind-mount as a bind mount.
2013-03-25 makeStoreWritable: Use statvfs instead of /proc/self/mountinfo to find out ↵Shea Levy1-21/+12
if /nix/store is a read-only bind mount /nix/store could be a read-only bind mount even if it is / in its own filesystem, so checking the 4th field in mountinfo is insufficient. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra9-55/+112
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra9-112/+55
2013-02-28 Handle systems without lutimes() or lchown()Eelco Dolstra1-1/+1
2013-02-28 Handle symlinks properlyEelco Dolstra1-1/+1
Now it's really brown paper bag time...
2013-02-27 Handle hard links to other files in the outputEelco Dolstra1-6/+26
2013-02-27 Refactoring: Split off the non-recursive canonicalisePathMetaData()Eelco Dolstra3-37/+52
Also, change the file mode before changing the owner. This prevents a slight time window in which a setuid binary would be setuid root.
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra4-12/+15
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.
2013-02-19 Add `Settings::nixDaemonSocketFile'.Ludovic Courtès4-9/+13
2013-02-19 Enable chroot support on old glibc versions.Ludovic Courtès1-0/+6
2013-01-23 Only warn about SQLite being busy onceEelco Dolstra1-1/+5
No need to get annoying.