about summary refs log tree commit diff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2015-04-18 Add the pre-build hook.Shea Levy3-0/+41
This hook can be used to set system-specific per-derivation build settings that don't fit into the derivation model and are too complex or volatile to be hard-coded into nix. Currently, the pre-build hook can only add chroot dirs/files through the interface, but it also has full access to the chroot root. The specific use case for this is systems where the operating system ABI is more complex than just the kernel-support system calls. For example, on OS X there is a set of system-provided frameworks that can reliably be accessed by any program linked to them, no matter the version the program is running on. Unfortunately, those frameworks do not necessarily live in the same locations on each version of OS X, nor do their dependencies, and thus nix needs to know the specific version of OS X currently running in order to make those frameworks available. The pre-build hook is a perfect mechanism for doing just that.
2015-04-18 Revert "Add the pre-build hook."Shea Levy3-112/+0
Going to reimplement differently. This reverts commit 1e4a4a2e9fc382f47f58b448f3ee034cdd28218a.
2015-04-16 Fix using restricted mode with chrootsEelco Dolstra4-0/+9
2015-04-12 Add the pre-build hook.Shea Levy3-0/+112
This hook can be used to set system specific per-derivation build settings that don't fit into the derivation model and are too complex or volatile to be hard-coded into nix. Currently, the pre-build hook can only add chroot dirs/files. The specific use case for this is systems where the operating system ABI is more complex than just the kernel-supported system calls. For example, on OS X there is a set of system-provided frameworks that can reliably be accessed by any program linked to them, no matter the version the program is running on. Unfortunately, those frameworks do not necessarily live in the same locations on each version of OS X, nor do their dependencies, and thus nix needs to know the specific version of OS X currently running in order to make those frameworks available. The pre-build hook is a perfect mechanism for doing just that.
2015-04-09 Use cached result if there is a network errorEelco Dolstra3-8/+15
2015-04-09 Move curl stuff into a separate fileEelco Dolstra3-112/+150
2015-04-09 Implement a TTL on cached fetchurl/fetchTarball resultsEelco Dolstra3-13/+34
This is because we don't want to do HTTP requests on every evaluation, even though we can prevent a full redownload via the cached ETag. The default is one hour.
2015-04-09 Implement caching of fetchurl/fetchTarball resultsEelco Dolstra4-24/+147
ETags are used to prevent redownloading unchanged files.
2015-04-07 Revert /nix/store permission back to 01775Eelco Dolstra2-2/+2
This broke NixOS VM tests. Mostly reverts 27b7b94923d2f207781b438bb7a57669bddf7d2b, 5ce50cd99e740d0d0f18c30327ae687be9356553, afa433e58c3fe6029660a43fdc2073c9d15b4210.
2015-04-02 Chroot builds: Provide world-readable /nix/storeEelco Dolstra1-1/+1
This was causing NixOS VM tests to fail mysteriously since 5ce50cd99e740d0d0f18c30327ae687be9356553. Nscd could (sometimes) no longer read /etc/hosts: open("/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) Probably there was some wacky interaction between the guest kernel and the 9pfs implementation in QEMU.
2015-03-25 Add fetchTarball builtinEelco Dolstra2-1/+120
This function downloads and unpacks the given URL at evaluation time. This is primarily intended to make it easier to deal with Nix expressions that have external dependencies. For instance, to fetch Nixpkgs 14.12: with import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-14.12.tar.gz) {}; Or to fetch a specific revision: with import (fetchTarball https://github.com/NixOS/nixpkgs/archive/2766a4b44ee6eafae03a042801270c7f6b8ed32a.tar.gz) {}; This patch also adds a ‘fetchurl’ builtin that downloads but doesn't unpack its argument. Not sure if it's useful though.
2015-03-25 addToStore(): Take explicit name argumentEelco Dolstra8-35/+35
2015-03-24 Improve setting the default chroot dirsEelco Dolstra2-2/+7
2015-03-24 Add the closure of store paths to the chrootEelco Dolstra1-0/+8
Thus, for example, to get /bin/sh in a chroot, you only need to specify /bin/sh=${pkgs.bash}/bin/sh in build-chroot-dirs. The dependencies of sh will be added automatically.
2015-03-24 Tighten permissions on chroot directoriesEelco Dolstra1-2/+12
2015-03-24 Don't rely on __noChroot for corepkgsEelco Dolstra1-2/+5
This doesn't work anymore if the "strict" chroot mode is enabled. Instead, add Nix's store path as a dependency. This ensures that its closure is present in the chroot.
2015-03-19 Disable scanning for interior pointersEelco Dolstra1-0/+2
This may remove the "Repeated allocation of very large block" warnings.
2015-03-19 Fix Boehm API violationEelco Dolstra4-38/+48
We were calling GC_INIT() after doing an allocation (in the baseEnv construction), which is not allowed.
2015-03-19 Check return values from malloc/strdupEelco Dolstra1-11/+34
2015-03-18 Print some Boehm GC statsEelco Dolstra1-0/+7
2015-03-18 valueSize(): Take into account list/bindings/env sizeEelco Dolstra1-6/+15
2015-03-06 Fix typos: s/the the/the/Daniel Hahler2-2/+2
2015-03-06 forceValueDeep: Add to error prefixEelco Dolstra1-2/+7
2015-03-06 Improve error messageEelco Dolstra2-19/+25
2015-03-04 Add option to hide display of missing pathsEelco Dolstra1-1/+2
2015-03-04 Don't use vfork() before clone()Eelco Dolstra1-1/+3
I'm seeing hangs in Glibc's setxid_mark_thread() again. This is probably because the use of an intermediate process to make clone() safe from a multi-threaded program (see 524f89f1399724e596f61faba2c6861b1bb7b9c5) is defeated by the use of vfork(), since the intermediate process will have a copy of Glibc's threading data structures due to the vfork(). So use a regular fork() again.
2015-03-03 Merge branch 'allow-system-library' of git://github.com/copumpkin/nixShea Levy1-1/+1
Make the default impure prefix include all of /System/Library
2015-03-02 Make the default impure prefix (not actual allowed impurities!) include all ↵Dan Peebles1-1/+1
of /System/Library, since we also want PrivateFrameworks from there and (briefly) TextEncodings, and who knows what else. Yay infectious impurities?
2015-03-02 Allow local networking in the darwin sandbox to appease testsDan Peebles1-0/+3
2015-02-23 More graceful fallback for chroots on Linux < 2.13Eelco Dolstra1-6/+5
2015-02-23 Use chroots for all derivationsEelco Dolstra3-17/+35
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are now also chrooted. However, unlike normal derivations, they don't get a private network namespace, so they can still access the network. Also, the use of the ‘__noChroot’ derivation attribute is no longer allowed. Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
2015-02-23 Add restricted evaluation modeEelco Dolstra5-11/+50
If ‘--option restrict-eval true’ is given, the evaluator will throw an exception if an attempt is made to access any file outside of the Nix search path. This is primarily intended for Hydra, where we don't want people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
2015-02-19 Merge branch 'tilde-paths' of https://github.com/shlevy/nixEelco Dolstra3-2/+6
2015-02-19 tilde paths: The rest of the string has to start with a slash anywayShea Levy1-1/+1
2015-02-19 tilde paths: construct the entire path at parse timeShea Levy1-6/+1
2015-02-19 tilde paths: get HOME at parse timeShea Levy1-3/+1
2015-02-19 Remove obsolete reference to ~ operatorEelco Dolstra1-1/+0
2015-02-19 ExprConcatStrings: canonicalize concatenated pathsShea Levy1-1/+2
2015-02-19 Allow the leading component of a path to be a ~Shea Levy2-1/+11
2015-02-18 nix-store --generate-binary-cache-key: Write key to diskEelco Dolstra1-4/+8
This ensures proper permissions for the secret key.
2015-02-17 Use $<attr>Path instead of $<attr> for passAsFileEelco Dolstra1-1/+1
2015-02-17 Allow passing attributes via files instead of environment variablesEelco Dolstra1-4/+16
Closes #473.
2015-02-16 Use pivot_root in addition to chroot when possibleHarald van Dijk1-7/+28
chroot only changes the process root directory, not the mount namespace root directory, and it is well-known that any process with chroot capability can break out of a chroot "jail". By using pivot_root as well, and unmounting the original mount namespace root directory, breaking out becomes impossible. Non-root processes typically have no ability to use chroot() anyway, but they can gain that capability through the use of clone() or unshare(). For security reasons, these syscalls are limited in functionality when used inside a normal chroot environment. Using pivot_root() this way does allow those syscalls to be put to their full use.
2015-02-10 Make libsodium an optional dependencyEelco Dolstra1-0/+6
2015-02-10 Add base64 encoder/decoderEelco Dolstra3-8/+66
2015-02-05 Remove tabEelco Dolstra1-1/+1
2015-02-04 Require linux 3.13 or later for chrootShea Levy1-1/+6
Fixes #453
2015-02-04 Use libsodium instead of OpenSSL for binary cache signingEelco Dolstra4-10/+53
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2015-02-03 Simplify parseHash32Eelco Dolstra1-37/+10
2015-02-03 Simplify printHash32Eelco Dolstra1-35/+17