about summary refs log tree commit diff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2017-06-19 Disable use of virtual hosting in aws-sdk-cppEelco Dolstra1-1/+1
Recently aws-sdk-cpp quietly switched to using S3 virtual host URIs (https://github.com/aws/aws-sdk-cpp/commit/69d9c53882), i.e. it sends requests to http://<bucket>.<region>.s3.amazonaws.com rather than http://<region>.s3.amazonaws.com/<bucket>. However this interacts badly with curl connection reuse. For example, if we do the following: 1) Check whether a bucket exists using GetBucketLocation. 2) If it doesn't, create it using CreateBucket. 3) Do operations on the bucket. then 3) will fail for a minute or so with a NoSuchBucket exception, presumably because the server being hit is a fallback for cases when buckets don't exist. Disabling the use of virtual hosts ensures that 3) succeeds immediately. (I don't know what S3's consistency guarantees are for bucket creation, but in practice buckets appear to be available immediately.)
2017-06-19 Support creating S3 caches in other regions than us-east-1Eelco Dolstra1-4/+10
2017-06-19 Handle S3Errors::RESOURCE_NOT_FOUND from aws-sdk-cppEelco Dolstra1-2/+4
This is returned by recent versions. Also handle NO_SUCH_KEY even though the library doesn't actually return that at the moment.
2017-06-19 Suppress "will retry in N ms" for non-retriable errorsEelco Dolstra1-5/+6
Newer versions of aws-sdk-cpp call CalculateDelayBeforeNextRetry() even for non-retriable errors (like NoSuchKey) whih causes log spam in hydra-queue-runner.
2017-06-19 Show aws-sdk-cpp log messagesEelco Dolstra1-0/+22
2017-06-19 macOS: Ugly hack to make the tests succeedEelco Dolstra1-3/+2
Sandboxes cannot be nested, so if Nix's build runs inside a sandbox, it cannot use a sandbox itself. I don't see a clean way to detect whether we're in a sandbox, so use a test-specific hack. https://github.com/NixOS/nix/issues/1413
2017-06-19 macOS: Remove flagsEelco Dolstra1-0/+10
In particular, UF_IMMUTABLE (uchg) needs to be cleared to allow the path to be garbage-collected or optimised. See https://github.com/NixOS/nixpkgs/issues/25819. + the file from being garbage-collected.
2017-06-14 Remove redundant debug lineEelco Dolstra1-2/+0
2017-06-14 canonicalisePathMetaData(): Ignore security.selinux attributeEelco Dolstra1-2/+6
Untested, hopefully fixes #1406.
2017-06-12 Suppress spurious "killing process N: Operation not permitted" on macOSEelco Dolstra1-2/+9
2017-06-12 On macOS, don't use /var/folders for TMPDIREelco Dolstra1-0/+8
This broke "nix-store --serve".
2017-06-12 Provide a builtin default for $NIX_SSL_CERT_FILEEelco Dolstra2-4/+13
This is mostly to ensure that when Nix is started on macOS via a launchd service or sshd (for a remote build), it gets a certificate bundle.
2017-06-12 Don't run pre-build-hook if we don't have a derivationEelco Dolstra1-1/+1
This fixes a build failure on OS X when using Hydra or Nix 1.12's build-remote (since they don't copy the derivation to the build machine).
2017-06-07 Don't show flags from config settings in "nix --help"Eelco Dolstra9-54/+140
2017-06-07 nix: Add --help-config flagEelco Dolstra3-2/+30
2017-06-07 nix: Make all options available as flagsEelco Dolstra4-0/+40
Thus, instead of ‘--option <name> <value>’, you can write ‘--<name> <value>’. So --option http-connections 100 becomes --http-connections 100 Apart from brevity, the difference is that it's not an error to set a non-existent option via --option, but unrecognized arguments are fatal. Boolean options have special treatment: they're mapped to the argument-less flags ‘--<name>’ and ‘--no-<name>’. E.g. --option auto-optimise-store false becomes --no-auto-optimise-store
2017-06-06 Disable the build user mechanism on all platforms except Linux and OS XEelco Dolstra1-0/+6
2017-06-06 Always use the Darwin sandboxEelco Dolstra4-83/+98
Even with "build-use-sandbox = false", we now use sandboxing with a permissive profile that allows everything except the creation of setuid/setgid binaries.
2017-05-31 Remove listxattr assertionEelco Dolstra1-2/+0
It appears that sometimes, listxattr() returns a different value for the query case (i.e. when the buffer size is 0).
2017-05-31 OS X sandbox: Improve builtin sandbox profileEelco Dolstra4-59/+76
Also, add rules to allow fixed-output derivations to access the network. These rules are sufficient to build stdenvDarwin without any __sandboxProfile magic.
2017-05-31 resolve-system-dependencies: Misc fixesEelco Dolstra1-22/+20
This fixes Could not find any mach64 blobs in file ‘/usr/lib/libSystem.B.dylib’, continuing...
2017-05-31 resolve-system-dependencies: SimplifyEelco Dolstra1-10/+1
2017-05-31 OS X sandbox: Don't use a deterministic $TMPDIREelco Dolstra1-3/+0
This doesn't work because the OS X sandbox cannot bind-mount path to a different location.
2017-05-31 OS X sandbox: Store .sb file in $TMPDIR rather than the Nix storeEelco Dolstra1-4/+1
The filename used was not unique and owned by the build user, so builds could fail with error: while setting up the build environment: cannot unlink ‘/nix/store/99i210ihnsjacajaw8r33fmgjvzpg6nr-bison-3.0.4.drv.sb’: Permission denied
2017-05-30 resolve-system-dependencies: Fix another segfaultEelco Dolstra1-0/+5
runResolver() was barfing on directories like /System/Library/Frameworks/Security.framework/Versions/Current/PlugIns. It should probably do something sophisticated for frameworks, but let's ignore them for now.
2017-05-30 Darwin sandbox: Use sandbox-defaults.sbEelco Dolstra4-14/+17
Issue #759. Also, remove nix.conf from the sandbox since I don't really see a legitimate reason for builders to access the Nix configuration.
2017-05-30 Darwin sandbox: Disallow creating setuid/setgid binariesEelco Dolstra1-0/+4
Suggested by Daiderd Jordan.
2017-05-30 resolve-system-dependencies: Several fixesEelco Dolstra1-53/+65
This fixes error: getting attributes of path ‘Versions/Current/CoreFoundation’: No such file or directory when /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation is a symlink. Also fixes a segfault when encounting a file that is not a MACH binary (such as /dev/null, which is included in __impureHostDeps in Nixpkgs). Possibly fixes #786.
2017-05-30 Fix seccomp build failure on clangEelco Dolstra1-3/+3
Fixes src/libstore/build.cc:2321:45: error: non-constant-expression cannot be narrowed from type 'int' to 'scmp_datum_t' (aka 'unsigned long') in initializer list [-Wc++11-narrowing]
2017-05-30 Shut up some clang warningsEelco Dolstra1-7/+7
2017-05-30 Add a seccomp rule to disallow setxattr()Eelco Dolstra1-1/+9
2017-05-30 canonicalisePathMetaData(): Remove extended attributes / ACLsEelco Dolstra1-0/+22
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an ACL allows a builder to create writable files in the Nix store. So get rid of them. Closes #185.
2017-05-30 Require seccomp only in multi-user setupsEelco Dolstra1-1/+5
2017-05-29 Fix seccomp initialisation on i686-linuxEelco Dolstra1-1/+2
2017-05-29 Add a seccomp filter to prevent creating setuid/setgid binariesEelco Dolstra2-0/+43
This prevents builders from setting the S_ISUID or S_ISGID bits, preventing users from using a nixbld* user to create a setuid/setgid binary to interfere with subsequent builds under the same nixbld* uid. This is based on aszlig's seccomp code (47f587700d646f5b03a42f2fa57c28875a31efbe). Reported by Linus Heckemann.
2017-05-29 Fix nix-copy-closure testEelco Dolstra1-0/+1
Fixes client# error: size mismatch importing path ‘/nix/store/ywf5fihjlxwijm6ygh6s0a353b5yvq4d-libidn2-0.16’; expected 0, got 120264 This is mostly an artifact of the NixOS VM test environment, where the Nix database doesn't contain hashes/sizes. http://hydra.nixos.org/build/53537471
2017-05-29 Fix build failure on Debian/UbuntuEelco Dolstra3-2/+2
http://hydra.nixos.org/build/53537463
2017-05-29 Fix typoEelco Dolstra1-1/+1
2017-05-24 Fix #1314Eelco Dolstra1-1/+2
Also, make nix-shell respect --option. (Previously it only passed it along to nix-instantiate and nix-build.)
2017-05-24 Merge branch 'topic/cores-master' of https://github.com/neilmayhew/nixEelco Dolstra1-0/+1
2017-05-24 Fix #1380Eelco Dolstra1-1/+1
It lacked a backslash. Use a raw string and single quotes around PS1 to simplify this.
2017-05-24 Merge branch 'prompt-terminator' of https://github.com/lheckemann/nixEelco Dolstra1-1/+1
2017-05-24 Merge branch 'nar-accessor-tree' of https://github.com/bennofs/nixEelco Dolstra1-33/+75
2017-05-17 builtins.match: Improve error message for bad regular expressionEelco Dolstra1-16/+23
Issue #1331.
2017-05-16 Improve progress indicatorEelco Dolstra26-168/+339
2017-05-15 nar-accessor.cc: remove unused member NarIndexer::currentNameBenno Fünfstück1-2/+1
2017-05-15 nar-accessor: non-recursive NarMember::findBenno Fünfstück1-21/+21
This avoids a possible stack overflow if directories are very deeply nested.
2017-05-15 Simplify fixed-output checkEelco Dolstra1-6/+2
2017-05-15 Disallow outputHash being null or an empty stringEelco Dolstra1-4/+5
Fixes #1384.
2017-05-15 Add --with-sandbox-shell configure flagEelco Dolstra2-3/+3
And add a 116 KiB ash shell from busybox to the release build. This helps to make sandbox builds work out of the box on non-NixOS systems and with diverted stores.