about summary refs log tree commit diff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-08-02 Add integer ‘-’, ‘*’ and ‘/’ operatorsEelco Dolstra1-1/+5
2013-08-02 Add a unary integer negation operatorEelco Dolstra1-2/+4
This allows saying "-1" instead of "builtins.sub 0 1".
2013-08-02 Overload the ‘+’ operator to support integer additionEelco Dolstra1-11/+19
2013-07-31 Make Env smallerEelco Dolstra2-21/+23
Commit 20866a7031ca823055a221653b77986faa167329 added a ‘withAttrs’ field to Env, which is annoying because it makes every Env structure bigger and we allocate millions of them. E.g. NixOS evaluation took 18 MiB more. So this commit squeezes ‘withAttrs’ into values[0]. Probably should use a union...
2013-07-31 Don't use NULLEelco Dolstra1-4/+2
2013-07-31 Avoid thunks when a fromWith var can be looked up without evaluationShea Levy2-8/+8
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-07-31 Delay evaulation of `with` attrs until a variable lookup needs themShea Levy2-7/+13
Evaluation of attribute sets is strict in the attribute names, which means immediate evaluation of `with` attribute sets rules out some potentially interesting use cases (e.g. where the attribute names of one set depend in some way on another but we want to bring those names into scope for some values in the second set). The major example of this is overridable self-referential package sets (e.g. all-packages.nix). With immediate `with` evaluation, the only options for such sets are to either make them non-recursive and explicitly use the name of the overridden set in non-overridden one every time you want to reference another package, or make the set recursive and use the `__overrides` hack. As shown in the test case that comes with this commit, though, delayed `with` evaluation allows a nicer third alternative. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-07-30 Detect stack overflowsEelco Dolstra3-1/+80
Previously, if the Nix evaluator gets a stack overflow due to a deep or infinite recursion in the Nix expression, the user gets an unhelpful message ("Segmentation fault") that doesn't indicate that the problem is in the user's code rather than Nix itself. Now it prints: error: stack overflow (possible infinite recursion) This only works on x86_64-linux and i686-linux. Fixes #35.
2013-07-30 killUser: Don't let the child kill itself on AppleShea Levy1-0/+13
The kill(2) in Apple's libc follows POSIX semantics, which means that kill(-1, SIGKILL) will kill the calling process too. Since nix has no way to distinguish between the process successfully killing everything and the process being killed by a rogue builder in that case, it can't safely conclude that killUser was successful. Luckily, the actual kill syscall takes a parameter that determines whether POSIX semantics are followed, so we can call that syscall directly and avoid the issue on Apple. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-07-18 Revert "build-remote.pl: Enforce timeouts locally"Eelco Dolstra1-1/+3
This reverts commit 69b8f9980f39c14a59365a188b300a34d625a2cd. The timeout should be enforced remotely. Otherwise, if the garbage collector is running either locally or remotely, if will block the build or closure copying for some time. If the garbage collector takes too long, the build may time out, which is not what we want. Also, on heavily loaded systems, copying large paths to and from the remote machine can take a long time, also potentially resulting in a timeout.
2013-07-15 Allow bind-mounting regular files into the chrootShea Levy1-1/+9
mount(2) with MS_BIND allows mounting a regular file on top of a regular file, so there's no reason to only bind directories. This allows finer control over just which files are and aren't included in the chroot without having to build symlink trees or the like. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-07-12 Garbage collector: Don't follow symlinks arbitrarilyEelco Dolstra4-45/+53
Only indirect roots (symlinks to symlinks to the Nix store) are now supported.
2013-07-07 Leave `HAVE_HUP_NOTIFICATION' undefined on GNU/Hurd.Ludovic Courtès1-2/+7
2013-06-20 Don't set $preferLocalBuild and $requiredSystemFeatures in buildersEelco Dolstra2-8/+15
With C++ std::map, doing a comparison like ‘map["foo"] == ...’ has the side-effect of adding a mapping from "foo" to the empty string if "foo" doesn't exist in the map. So we ended up setting some environment variables by accident.
2013-06-20 Don't substitute derivations that have preferLocalBuild setEelco Dolstra3-7/+15
In particular this means that "trivial" derivations such as writeText are not substituted, reducing the number of GET requests to the binary cache by about 200 on a typical NixOS configuration.
2013-06-20 Increase SQLite's auto-checkpoint intervalEelco Dolstra1-2/+2
Common operations like instantiating a NixOS system config no longer fitted in 8192 pages, leading to more fsyncs. So increase this limit.
2013-06-20 Disable the copy-from-other-stores substituterEelco Dolstra1-0/+2
This substituter basically cannot work reliably since we switched to SQLite, since SQLite databases may need write access to open them even just for reading (and in WAL mode they always do).
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra3-2/+28
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-06-13 Allow hard links between the outputs of a derivationEelco Dolstra3-9/+20
2013-06-13 Fix a security bug in hash rewritingEelco Dolstra1-0/+6
Before calling dumpPath(), we have to make sure the files are owned by the build user. Otherwise, the build could contain a hard link to (say) /etc/shadow, which would then be read by the daemon and rewritten as a world-readable file. This only affects systems that don't have hard link restrictions enabled.
2013-06-13 Fix assertion failure in canonicalisePathMetaData() after hash rewritingEelco Dolstra1-2/+9
The assertion in canonicalisePathMetaData() failed because the ownership of the path already changed due to the hash rewriting. The solution is not to check the ownership of rewritten paths. Issue #122.
2013-06-13 computeFSClosure: Only process the missing/corrupt pathsEelco Dolstra1-11/+17
Issue #122.
2013-06-13 In repair mode, update the hash of rebuilt pathsEelco Dolstra2-4/+5
Otherwise subsequent invocations of "--repair" will keep rebuilding the path. This only happens if the path content differs between builds (e.g. due to timestamps).
2013-06-12 nix-daemon: Trust options like binary-caches when the client is rootEelco Dolstra1-5/+7
Fixes #127.
2013-06-07 Remove obsolete EOF checksEelco Dolstra1-26/+18
2013-06-07 Process stderr from substituters while doing have/info queriesEelco Dolstra4-9/+59
2013-06-07 Buffer reads from the substituterEelco Dolstra2-10/+27
This greatly reduces the number of system calls.
2013-05-23 nix-store --export: Export paths in topologically sorted orderEelco Dolstra2-2/+4
Fixes #118.
2013-05-16 Show function names in error messagesEelco Dolstra5-8/+43
Functions in Nix are anonymous, but if they're assigned to a variable/attribute, we can use the variable/attribute name in error messages, e.g. while evaluating `concatMapStrings' at `/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/pkgs/lib/strings.nix:18:25': ...
2013-05-16 Show which function argument was unexpectedEelco Dolstra1-5/+9
Fixes #116.
2013-05-16 Shut up a compiler warningEelco Dolstra1-1/+1
2013-05-10 In trace messages, don't print the output pathEelco Dolstra1-19/+15
This doesn't work if there is no output named "out". Hydra didn't use it anyway.
2013-05-09 Communicate build timeouts to HydraEelco Dolstra1-7/+11
2013-05-09 build-remote.pl: Enforce timeouts locallyEelco Dolstra1-3/+1
Don't pass --timeout / --max-silent-time to the remote builder. Instead, let the local Nix process terminate the build if it exceeds a timeout. The remote builder will be killed as a side-effect. This gives better error reporting (since the timeout message from the remote side wasn't properly propagated) and handles non-Nix problems like SSH hangs.
2013-05-01 Don't let stderr writes in substituters cause a deadlockEelco Dolstra1-0/+4
2013-04-26 addAdditionalRoots(): Check each path only onceEelco Dolstra1-2/+2
2013-04-23 Fix --timeoutEelco Dolstra1-38/+25
I'm not sure if it has ever worked correctly. The line "lastWait = after;" seems to mean that the timer was reset every time a build produced log output. Note that the timeout is now per build, as documented ("the maximum number of seconds that a builder can run").
2013-04-23 Nix daemon: respect build timeout from the clientEelco Dolstra2-4/+5
2013-04-04 Complain if /homeless-shelter existsEelco Dolstra1-1/+5
2013-03-25 makeStoreWritable: Ask forgiveness, not permissionShea Levy1-2/+2
It is surprisingly impossible to check if a mountpoint is a bind mount on Linux, and in my previous commit I forgot to check if /nix/store was even a mountpoint at all. statvfs.f_flag is not populated with MS_BIND (and even if it were, my check was wrong in the previous commit). Luckily, the semantics of mount with MS_REMOUNT | MS_BIND make both checks unnecessary: if /nix/store is not a mountpoint, then mount will fail with EINVAL, and if /nix/store is not a bind-mount, then it will not be made writable. Thus, if /nix/store is not a mountpoint, we fail immediately (since we don't know how to make it writable), and if /nix/store IS a mountpoint but not a bind-mount, we fail at first write (see below for why we can't check and fail immediately). Note that, due to what is IMO buggy behavior in Linux, calling mount with MS_REMOUNT | MS_BIND on a non-bind readonly mount makes the mountpoint appear writable in two places: In the sixth (but not the 10th!) column of mountinfo, and in the f_flags member of struct statfs. All other syscalls behave as if the mount point were still readonly (at least for Linux 3.9-rc1, but I don't think this has changed recently or is expected to soon). My preferred semantics would be for MS_REMOUNT | MS_BIND to fail on a non-bind mount, as it doesn't make sense to remount a non bind-mount as a bind mount.
2013-03-25 makeStoreWritable: Use statvfs instead of /proc/self/mountinfo to find out ↵Shea Levy1-21/+12
if /nix/store is a read-only bind mount /nix/store could be a read-only bind mount even if it is / in its own filesystem, so checking the 4th field in mountinfo is insufficient. Signed-off-by: Shea Levy <shea@shealevy.com>
2013-03-14 Fix building against Bison 2.6Eelco Dolstra2-6/+4
2013-03-14 Make sure that thunks are restored properly if an exception occursEelco Dolstra1-3/+6
Fixes Hydra bug #67.
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra16-104/+177
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra16-177/+104
2013-02-28 Handle systems without lutimes() or lchown()Eelco Dolstra1-1/+1
2013-02-28 Handle symlinks properlyEelco Dolstra1-1/+1
Now it's really brown paper bag time...
2013-02-27 Handle hard links to other files in the outputEelco Dolstra1-6/+26
2013-02-27 Refactoring: Split off the non-recursive canonicalisePathMetaData()Eelco Dolstra3-37/+52
Also, change the file mode before changing the owner. This prevents a slight time window in which a setuid binary would be setuid root.
2013-02-26 Security: Don't allow builders to change permissions on files they don't ownEelco Dolstra5-20/+17
It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway.