Age | Commit message (Collapse) | Author | Files | Lines |
|
This is because we don't want to do HTTP requests on every evaluation,
even though we can prevent a full redownload via the cached ETag. The
default is one hour.
|
|
ETags are used to prevent redownloading unchanged files.
|
|
This broke NixOS VM tests.
Mostly reverts 27b7b94923d2f207781b438bb7a57669bddf7d2b,
5ce50cd99e740d0d0f18c30327ae687be9356553,
afa433e58c3fe6029660a43fdc2073c9d15b4210.
|
|
This was causing NixOS VM tests to fail mysteriously since
5ce50cd99e740d0d0f18c30327ae687be9356553. Nscd could (sometimes) no
longer read /etc/hosts:
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
Probably there was some wacky interaction between the guest kernel and
the 9pfs implementation in QEMU.
|
|
This function downloads and unpacks the given URL at evaluation
time. This is primarily intended to make it easier to deal with Nix
expressions that have external dependencies. For instance, to fetch
Nixpkgs 14.12:
with import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-14.12.tar.gz) {};
Or to fetch a specific revision:
with import (fetchTarball https://github.com/NixOS/nixpkgs/archive/2766a4b44ee6eafae03a042801270c7f6b8ed32a.tar.gz) {};
This patch also adds a ‘fetchurl’ builtin that downloads but doesn't
unpack its argument. Not sure if it's useful though.
|
|
|
|
|
|
Thus, for example, to get /bin/sh in a chroot, you only need to
specify /bin/sh=${pkgs.bash}/bin/sh in build-chroot-dirs. The
dependencies of sh will be added automatically.
|
|
|
|
This doesn't work anymore if the "strict" chroot mode is
enabled. Instead, add Nix's store path as a dependency. This ensures
that its closure is present in the chroot.
|
|
This may remove the "Repeated allocation of very large block"
warnings.
|
|
We were calling GC_INIT() after doing an allocation (in the baseEnv
construction), which is not allowed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I'm seeing hangs in Glibc's setxid_mark_thread() again. This is
probably because the use of an intermediate process to make clone()
safe from a multi-threaded program (see
524f89f1399724e596f61faba2c6861b1bb7b9c5) is defeated by the use of
vfork(), since the intermediate process will have a copy of Glibc's
threading data structures due to the vfork(). So use a regular fork()
again.
|
|
Make the default impure prefix include all of /System/Library
|
|
of /System/Library, since we also want PrivateFrameworks from there and (briefly) TextEncodings, and who knows what else. Yay infectious impurities?
|
|
|
|
|
|
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are
now also chrooted. However, unlike normal derivations, they don't get
a private network namespace, so they can still access the
network. Also, the use of the ‘__noChroot’ derivation attribute is
no longer allowed.
Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
|
|
If ‘--option restrict-eval true’ is given, the evaluator will throw an
exception if an attempt is made to access any file outside of the Nix
search path. This is primarily intended for Hydra, where we don't want
people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This ensures proper permissions for the secret key.
|
|
|
|
Closes #473.
|
|
chroot only changes the process root directory, not the mount namespace root
directory, and it is well-known that any process with chroot capability can
break out of a chroot "jail". By using pivot_root as well, and unmounting the
original mount namespace root directory, breaking out becomes impossible.
Non-root processes typically have no ability to use chroot() anyway, but they
can gain that capability through the use of clone() or unshare(). For security
reasons, these syscalls are limited in functionality when used inside a normal
chroot environment. Using pivot_root() this way does allow those syscalls to be
put to their full use.
|
|
|
|
|
|
|
|
Fixes #453
|
|
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.
The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
|
|
|
|
|
|
baseNameOf: Don't copy paths to the store first
|
|
due to user permissions)
|
|
$ nix-env -f ~/Dev/nixops/ -iA foo
nix-env: src/libexpr/eval.hh:57: void nix::Bindings::push_back(const nix::Attr&): Assertion `size_ < capacity' failed.
Aborted
|
|
These directories are generally world-readable anyway, and give us the two
most common linux impurities (env and sh)
|
|
|
|
Since these come from untrusted users, we shouldn't do any I/O on them
before we've checked that they're in an allowed prefix.
|