about summary refs log tree commit diff
path: root/src/nix-store
AgeCommit message (Collapse)AuthorFilesLines
2014-07-23 nix-store --serve: Monitor for client disconnectsEelco Dolstra1-0/+3
This is necessary because build-remote.pl now builds via ‘nix-store --serve’. So if a build hangs without writing to stdout/stderr, and the client disconnects, then we need to detect that.
2014-07-14 build-remote.pl: Fix building multiple output derivationsEelco Dolstra1-1/+3
We were importing paths without sorting them topologically, leading to "path is not valid" errors. See e.g. http://hydra.nixos.org/build/12451761
2014-07-11 build-remote.pl: Use ‘nix-store --serve’ on the remote sideEelco Dolstra2-5/+34
This makes things more efficient (we don't need to use an SSH master connection, and we only start a single remote process) and gets rid of locking issues (the remote nix-store process will keep inputs and outputs locked as long as they're needed). It also makes it more or less secure to connect directly to the root account on the build machine, using a forced command (e.g. ‘command="nix-store --serve --write"’). This bypasses the Nix daemon and is therefore more efficient. Also, don't call nix-store to import the output paths.
2014-07-10 nix-copy-closure -s: Do substitutions via ‘nix-store --serve’Eelco Dolstra1-0/+29
This means we no longer need an SSH master connection, since we only execute a single command on the remote host.
2014-07-10 Refactoring: Move all fork handling into a higher-order functionEelco Dolstra1-21/+8
C++11 lambdas ftw.
2014-07-10 nix-copy-closure: Restore compression and the progress viewerEelco Dolstra1-2/+47
2014-07-10 nix-copy-closure: Fix race conditionEelco Dolstra2-53/+58
There is a long-standing race condition when copying a closure to a remote machine, particularly affecting build-remote.pl: the client first asks the remote machine which paths it already has, then copies over the missing paths. If the garbage collector kicks in on the remote machine between the first and second step, the already-present paths may be deleted. The missing paths may then refer to deleted paths, causing nix-copy-closure to fail. The client now performs both steps using a single remote Nix call (using ‘nix-store --serve’), locking all paths in the closure while querying. I changed the --serve protocol a bit (getting rid of QueryCommand), so this breaks the SSH substituter from older versions. But it was marked experimental anyway. Fixes #141.
2014-07-10 Fix security hole in ‘nix-store --serve’Eelco Dolstra1-1/+1
Since it didn't check that the path received from the client is a store path, the client could dump any path in the file system.
2014-05-21 nix-store -l: Fetch build logs from the InternetEelco Dolstra2-3/+28
If a build log is not available locally, then ‘nix-store -l’ will now try to download it from the servers listed in the ‘log-servers’ option in nix.conf. For instance, if you have: log-servers = http://hydra.nixos.org/log then it will try to get logs from http://hydra.nixos.org/log/<base name of the store path>. So you can do things like: $ nix-store -l $(which xterm) and get a log even if xterm wasn't built locally.
2014-05-15 nix-store --optimise: Remove bogus statisticsEelco Dolstra1-4/+2
2014-02-26 nix-store -r: Respect --add-root for non-derivationsEelco Dolstra1-1/+9
Fixes #68. Fixes #117.
2014-02-18 Add a flag ‘--check’ to verify build determinismEelco Dolstra1-3/+4
The flag ‘--check’ to ‘nix-store -r’ or ‘nix-build’ will cause Nix to redo the build of a derivation whose output paths are already valid. If the new output differs from the original output, an error is printed. This makes it easier to test if a build is deterministic. (Obviously this cannot catch all sources of non-determinism, but it catches the most common one, namely the current time.) For example: $ nix-build '<nixpkgs>' -A patchelf ... $ nix-build '<nixpkgs>' -A patchelf --check error: derivation `/nix/store/1ipvxsdnbhl1rw6siz6x92s7sc8nwkkb-patchelf-0.6' may not be deterministic: hash mismatch in output `/nix/store/4pc1dmw5xkwmc6q3gdc9i5nbjl4dkjpp-patchelf-0.6.drv' The --check build fails if not all outputs are valid. Thus the first call to nix-build is necessary to ensure that all outputs are valid. The current outputs are left untouched: the new outputs are either put in a chroot or diverted to a different location in the store using hash rewriting.
2014-02-17 nix-store --gc --max-freed: Support a unit specifierEelco Dolstra1-1/+1
E.g. "--max-freed 10G" means "free ten gigabytes".
2014-02-14 download-via-ssh: Use readStorePathEelco Dolstra1-2/+3
2014-02-14 Minor style fixesEelco Dolstra1-1/+1
2014-02-12 Indendation fixShea Levy1-21/+19
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-12 error messages start in lowercaseShea Levy1-2/+2
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-10 nix-store --serve: Use a versioned protocolShea Levy2-27/+79
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-10 Move StoreApi::serve into opServeShea Levy1-1/+29
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 nix-store --serve: Use dump instead of exportShea Levy1-9/+3
Also remove signing support Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 Add the nix-store --serve commandShea Levy1-0/+20
This is essentially the substituter API operating on the local store, which will be used by the ssh substituter. It runs in a loop rather than just taking one command so that in the future nix will be able to keep one connection open for multiple instances of the substituter. Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-01 Remove AutomakefilesEelco Dolstra1-12/+0
2014-02-01 Update Makefile variable namesEelco Dolstra1-1/+1
2014-01-30 Rename Makefile -> local.mkEelco Dolstra1-0/+0
2014-01-21 Merge branch 'master' into makeEelco Dolstra1-2/+6
Conflicts: src/libexpr/eval.cc
2014-01-09 Update MakefilesEelco Dolstra1-1/+1
2013-12-20 DohEelco Dolstra1-1/+1
2013-12-20 nix-shell: Handle --option correctlyEelco Dolstra1-2/+6
Fixes #181.
2013-11-25 Rename Makefile.new -> MakefileEelco Dolstra1-0/+0
2013-11-22 Support building dynamic librariesEelco Dolstra1-0/+2
2013-11-22 Rename $(here) to $(d) for brevity, and remove trailing slashEelco Dolstra1-1/+1
2013-11-22 New non-recursive, plain Make-based build systemEelco Dolstra1-0/+7
2013-05-23 nix-store --export: Export paths in topologically sorted orderEelco Dolstra1-1/+3
Fixes #118.
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra1-38/+39
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra1-39/+38
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra1-8/+2
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.
2013-01-30 Support the coloniesEelco Dolstra1-3/+3
2013-01-22 Correctly handle missing logsEelco Dolstra1-1/+3
2013-01-17 Store build logs in /nix/var/log/nix/drvs/<XX>Eelco Dolstra1-27/+32
...where <XX> is the first two characters of the derivation. Otherwise /nix/var/log/nix/drvs may become so large that we run into all sorts of weird filesystem limits/inefficiences. For instance, ext3/ext4 filesystems will barf with "ext4_dx_add_entry:1551: Directory index full!" once you hit a few million files.
2012-12-20 nix-store -q --roots: Respect the gc-keep-outputs/gc-keep-derivations settingsEelco Dolstra1-1/+2
So if a path is not garbage solely because it's reachable from a root due to the gc-keep-outputs or gc-keep-derivations settings, ‘nix-store -q --roots’ now shows that root.
2012-11-26 Make "nix-build -A <derivation>.<output>" do the right thingEelco Dolstra1-5/+15
For example, given a derivation with outputs "out", "man" and "bin": $ nix-build -A pkg produces ./result pointing to the "out" output; $ nix-build -A pkg.man produces ./result-man pointing to the "man" output; $ nix-build -A pkg.all produces ./result, ./result-man and ./result-bin; $ nix-build -A pkg.all -A pkg2 produces ./result, ./result-man, ./result-bin and ./result-2.
2012-11-20 nix-store -r: Add ‘--ignore-unknown’ flagEelco Dolstra1-9/+25
This flag causes paths that do not have a known substitute to be quietly ignored. This is mostly useful for Charon, allowing it to speed up deployment by letting a machine use substitutes for all substitutable paths, instead of uploading them. The latter is frequently faster, e.g. if the target machine has a fast Internet connection while the source machine is on a slow ADSL line.
2012-11-19 nix-store -r: Don't quietly ignore missing pathsEelco Dolstra1-0/+1
2012-10-03 When ‘--help’ is given, just run ‘man’ to show the manual pageEelco Dolstra3-80/+3
I.e. do what git does. I'm too lazy to keep the builtin help text up to date :-) Also add ‘--help’ to various commands that lacked it (e.g. nix-collect-garbage).
2012-10-02 Add a --repair flag to ‘nix-store -r’ to repair derivation outputsEelco Dolstra1-1/+3
With this flag, if any valid derivation output is missing or corrupt, it will be recreated by using a substitute if available, or by rebuilding the derivation. The latter may use hash rewriting if chroots are not available.
2012-10-02 nix-store -r: Get rid of an unnecessary call to buildPaths/ensurePathsEelco Dolstra1-4/+4
2012-10-02 nix-store --verify: Add an option ‘--repair’ to repair all ↵Eelco Dolstra1-2/+6
missing/corrupt paths Also, return a non-zero exit code if errors remain after verifying/repairing.
2012-10-02 Add operation ‘nix-store --repair-path’Eelco Dolstra1-0/+17
This operation allows fixing corrupted or accidentally deleted store paths by redownloading them using substituters, if available. Since the corrupted path cannot be replaced atomically, there is a very small time window (one system call) during which neither the old (corrupted) nor the new (repaired) contents are available. So repairing should be used with some care on critical packages like Glibc.
2012-08-27 Merge branch 'master' into no-manifestsEelco Dolstra1-9/+12
2012-08-24 Include the output name in the GC root linkEelco Dolstra1-3/+7
Output names are now appended to resulting GC symlinks, e.g. by nix-build. For backwards compatibility, if the output is named "out", nothing is appended. E.g. doing "nix-build -A foo" on a derivation that produces outputs "out", "bin" and "dev" will produce symlinks "./result", "./result-bin" and "./result-dev", respectively.