2006-08-21 19:05:11 +03:00
|
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
|
<chapter xmlns="http://docbook.org/ns/docbook"
|
|
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
|
|
|
xml:id="chap-installation">
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
<title>Installation</title>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
|
|
|
|
|
2007-05-17 01:07:39 +03:00
|
|
|
|
<section><title>Supported platforms</title>
|
|
|
|
|
|
|
|
|
|
<para>Nix is currently supported on the following platforms:
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Linux (particularly on x86, x86_64, and
|
|
|
|
|
PowerPC).</para></listitem>
|
|
|
|
|
|
2012-05-12 00:39:06 +03:00
|
|
|
|
<listitem><para>Mac OS X.</para></listitem>
|
2007-05-17 01:07:39 +03:00
|
|
|
|
|
|
|
|
|
<listitem><para>FreeBSD (only tested on Intel).</para></listitem>
|
|
|
|
|
|
2012-05-12 00:39:06 +03:00
|
|
|
|
<!--
|
2007-05-17 01:07:39 +03:00
|
|
|
|
<listitem><para>Windows through <link
|
|
|
|
|
xlink:href="http://www.cygwin.com/">Cygwin</link>.</para>
|
|
|
|
|
|
|
|
|
|
<warning><para>On Cygwin, Nix <emphasis>must</emphasis> be installed
|
|
|
|
|
on an NTFS partition. It will not work correctly on a FAT
|
|
|
|
|
partition.</para></warning>
|
|
|
|
|
|
|
|
|
|
</listitem>
|
2012-05-12 00:39:06 +03:00
|
|
|
|
-->
|
2007-05-17 01:07:39 +03:00
|
|
|
|
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>Nix is pretty portable, so it should work on most other Unix
|
|
|
|
|
platforms as well.</para>
|
|
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
2012-05-24 19:04:07 +03:00
|
|
|
|
<section><title>Installing a binary distribution</title>
|
|
|
|
|
|
|
|
|
|
<para>The easiest way to install Nix is to use a binary package.
|
|
|
|
|
Binary packages of the latest stable release are available for Fedora,
|
|
|
|
|
Debian, Ubuntu, Mac OS X and various other systems from the <link
|
|
|
|
|
xlink:href="http://nixos.org/nix/download.html">Nix homepage</link>.
|
|
|
|
|
You can also get builds of the latest development release from our
|
|
|
|
|
<link
|
2013-10-24 17:02:08 +03:00
|
|
|
|
xlink:href="http://hydra.nixos.org/job/nix/trunk/release/latest-finished#tabs-constituents">continuous
|
2012-05-24 19:04:07 +03:00
|
|
|
|
build system</link>.</para>
|
|
|
|
|
|
|
|
|
|
<para>For Fedora, RPM packages are available. These can be installed
|
|
|
|
|
or upgraded using <command>rpm -U</command>. For example,
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ rpm -U nix-1.0-1.i386.rpm</screen>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>For Debian and Ubuntu, you can download a Deb package and
|
|
|
|
|
install it like this:
|
2006-08-21 19:05:11 +03:00
|
|
|
|
|
2012-05-24 19:04:07 +03:00
|
|
|
|
<screen>
|
|
|
|
|
$ dpkg -i nix_1.0-1_amd64.deb</screen>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>For other platforms, including Mac OS X (Darwin), FreeBSD and
|
|
|
|
|
other Linux distributions, you can download a binary tarball. It
|
|
|
|
|
contains Nix and all its dependencies. You should unpack it in the
|
|
|
|
|
root directory, then run <command>nix-finish-install</command>:
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ cd /
|
|
|
|
|
$ tar xfj nix-1.1-x86_64-darwin.tar.bz2
|
|
|
|
|
$ nix-finish-install
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
After this you can delete
|
|
|
|
|
<filename>/usr/bin/nix-finish-install</filename>.</para>
|
|
|
|
|
|
|
|
|
|
<para>If you plan to use Nix from a single non-root user account, it’s
|
|
|
|
|
probably convenient to change the ownership of the entire Nix store
|
|
|
|
|
and database to that user account. In that case, install as follows:
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
alice$ cd /
|
|
|
|
|
alice$ sudo tar xfj nix-1.1-x86_64-darwin.tar.bz2
|
|
|
|
|
alice$ sudo chown -R alice /nix
|
|
|
|
|
alice$ nix-finish-install
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>Nix can be uninstalled using <command>rpm -e nix</command> or
|
|
|
|
|
<command>dpkg -r nix</command> on RPM- and Dpkg-based systems,
|
|
|
|
|
respectively. After this you should manually remove the Nix store and
|
|
|
|
|
other auxiliary data, if desired:
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ rm -rf /nix</screen>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<section><title>Installing Nix from source</title>
|
|
|
|
|
|
|
|
|
|
<para>If no binary package is available, you can download and compile
|
|
|
|
|
a source distribution.</para>
|
|
|
|
|
|
|
|
|
|
<section><title>Prerequisites</title>
|
|
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
|
|
2012-09-25 23:11:58 +03:00
|
|
|
|
<listitem><para>GNU Make.</para></listitem>
|
|
|
|
|
|
2012-05-24 19:04:07 +03:00
|
|
|
|
<listitem><para>A fairly recent version of GCC/G++. Version 2.95
|
|
|
|
|
and higher should work. Clang will also work.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Perl 5.8 or higher.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para><command>pkg-config</command> to locate
|
|
|
|
|
dependencies. If your distribution does not provide it, you can get
|
|
|
|
|
it from <link
|
|
|
|
|
xlink:href="http://www.freedesktop.org/wiki/Software/pkg-config"
|
|
|
|
|
/>.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The bzip2 compressor program and the
|
|
|
|
|
<literal>libbz2</literal> library. Thus you must have bzip2
|
|
|
|
|
installed, including development headers and libraries. If your
|
|
|
|
|
distribution does not provide these, you can obtain bzip2 from <link
|
|
|
|
|
xlink:href="http://www.bzip.org/"/>.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The SQLite embedded database library, version 3.6.19
|
|
|
|
|
or higher. If your distribution does not provide it, please install
|
|
|
|
|
it from <link xlink:href="http://www.sqlite.org/" />.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The Perl DBI and DBD::SQLite libraries, which are
|
|
|
|
|
available from <link
|
|
|
|
|
xlink:href="http://search.cpan.org/">CPAN</link> if your
|
|
|
|
|
distribution does not provide them.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The <link
|
|
|
|
|
xlink:href="http://www.hpl.hp.com/personal/Hans_Boehm/gc/">Boehm
|
|
|
|
|
garbage collector</link> to reduce the evaluator’s memory
|
|
|
|
|
consumption (optional). To enable it, install
|
|
|
|
|
<literal>pkgconfig</literal> and the Boehm garbage collector, and
|
|
|
|
|
pass the flag <option>--enable-gc</option> to
|
|
|
|
|
<command>configure</command>.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>The <command>xmllint</command> and
|
|
|
|
|
<command>xsltproc</command> programs to build this manual and the
|
|
|
|
|
man-pages. These are part of the <literal>libxml2</literal> and
|
|
|
|
|
<literal>libxslt</literal> packages, respectively. You also need
|
|
|
|
|
the <link
|
|
|
|
|
xlink:href="http://docbook.sourceforge.net/projects/xsl/">DocBook
|
|
|
|
|
XSL stylesheets</link> and optionally the <link
|
|
|
|
|
xlink:href="http://www.docbook.org/schemas/5x"> DocBook 5.0 RELAX NG
|
|
|
|
|
schemas</link>. Note that these are only required if you modify the
|
|
|
|
|
manual sources or when you are building from the Git
|
|
|
|
|
repository.</para></listitem>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Recent versions of Bison and Flex to build the
|
|
|
|
|
parser. (This is because Nix needs GLR support in Bison and
|
2013-03-14 19:33:15 +02:00
|
|
|
|
reentrancy support in Flex.) For Bison, you need version 2.6, which
|
|
|
|
|
can be obtained from the <link
|
2012-05-24 19:04:07 +03:00
|
|
|
|
xlink:href="ftp://alpha.gnu.org/pub/gnu/bison">GNU FTP
|
2013-03-14 19:33:15 +02:00
|
|
|
|
server</link>. For Flex, you need version 2.5.35, which is
|
2012-05-24 19:04:07 +03:00
|
|
|
|
available on <link
|
|
|
|
|
xlink:href="http://lex.sourceforge.net/">SourceForge</link>.
|
|
|
|
|
Slightly older versions may also work, but ancient versions like the
|
|
|
|
|
ubiquitous 2.5.4a won't. Note that these are only required if you
|
|
|
|
|
modify the parser or when you are building from the Git
|
|
|
|
|
repository.</para></listitem>
|
|
|
|
|
|
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<section><title>Obtaining a source distribution</title>
|
|
|
|
|
|
|
|
|
|
<para>The source tarball of the most recent stable release can be
|
|
|
|
|
downloaded from the <link
|
|
|
|
|
xlink:href="http://nixos.org/nix/download.html">Nix homepage</link>.
|
|
|
|
|
You can also grab the <link
|
2013-10-24 17:02:08 +03:00
|
|
|
|
xlink:href="http://hydra.nixos.org/job/nix/trunk/release/latest-finished#tabs-constituents">most
|
2012-05-24 19:04:07 +03:00
|
|
|
|
recent development release</link>.</para>
|
2004-10-14 14:54:41 +03:00
|
|
|
|
|
|
|
|
|
<para>Alternatively, the most recent sources of Nix can be obtained
|
2006-08-21 19:05:11 +03:00
|
|
|
|
from its <link
|
2012-05-12 00:39:06 +03:00
|
|
|
|
xlink:href="https://github.com/NixOS/nix">Git
|
2006-08-21 19:05:11 +03:00
|
|
|
|
repository</link>. For example, the following command will check out
|
|
|
|
|
the latest revision into a directory called
|
|
|
|
|
<filename>nix</filename>:</para>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2004-10-14 14:54:41 +03:00
|
|
|
|
<screen>
|
2012-04-09 06:59:02 +03:00
|
|
|
|
$ git clone https://github.com/NixOS/nix</screen>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
<para>Likewise, specific releases can be obtained from the <link
|
2012-05-12 00:39:06 +03:00
|
|
|
|
xlink:href="https://github.com/NixOS/nix/tags">tags</link> of the
|
|
|
|
|
repository.</para>
|
2003-11-26 14:30:16 +02:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
</section>
|
2003-11-26 14:30:16 +02:00
|
|
|
|
|
|
|
|
|
|
2006-10-04 20:07:58 +03:00
|
|
|
|
<section><title>Building Nix from source</title>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2004-10-14 14:54:41 +03:00
|
|
|
|
<para>After unpacking or checking out the Nix sources, issue the
|
|
|
|
|
following commands:
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2004-10-14 14:54:41 +03:00
|
|
|
|
<screen>
|
2003-08-13 18:17:57 +03:00
|
|
|
|
$ ./configure <replaceable>options...</replaceable>
|
|
|
|
|
$ make
|
|
|
|
|
$ make install</screen>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2012-09-25 23:11:58 +03:00
|
|
|
|
Nix requires GNU Make so you may need to invoke
|
|
|
|
|
<command>gmake</command> instead.</para>
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
2012-05-12 00:39:06 +03:00
|
|
|
|
<para>When building from the Git repository, these should be preceded
|
|
|
|
|
by the command:
|
2003-11-26 14:30:16 +02:00
|
|
|
|
|
2004-10-14 14:54:41 +03:00
|
|
|
|
<screen>
|
2010-02-12 12:50:30 +02:00
|
|
|
|
$ ./bootstrap.sh</screen>
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
|
|
|
|
</para>
|
2003-11-26 14:30:16 +02:00
|
|
|
|
|
2004-10-14 14:54:41 +03:00
|
|
|
|
<para>The installation path can be specified by passing the
|
|
|
|
|
<option>--prefix=<replaceable>prefix</replaceable></option> to
|
|
|
|
|
<command>configure</command>. The default installation directory is
|
2009-11-05 11:07:43 +02:00
|
|
|
|
<filename>/usr/local</filename>. You can change this to any location
|
|
|
|
|
you like. You must have write permission to the
|
2004-10-31 19:08:48 +02:00
|
|
|
|
<replaceable>prefix</replaceable> path.</para>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2009-11-05 11:07:43 +02:00
|
|
|
|
<para>Nix keeps its <emphasis>store</emphasis> (the place where
|
|
|
|
|
packages are stored) in <filename>/nix/store</filename> by default.
|
|
|
|
|
This can be changed using
|
|
|
|
|
<option>--with-store-dir=<replaceable>path</replaceable></option>.</para>
|
2003-11-26 14:30:16 +02:00
|
|
|
|
|
2009-11-05 11:07:43 +02:00
|
|
|
|
<warning><para>It is best <emphasis>not</emphasis> to change the Nix
|
|
|
|
|
store from its default, since doing so makes it impossible to use
|
|
|
|
|
pre-built binaries from the standard Nixpkgs channels — that is, all
|
|
|
|
|
packages will need to be built from source.</para></warning>
|
|
|
|
|
|
|
|
|
|
<para>Nix keeps state (such as its database and log files) in
|
|
|
|
|
<filename>/nix/var</filename> by default. This can be changed using
|
|
|
|
|
<option>--localstatedir=<replaceable>path</replaceable></option>.</para>
|
|
|
|
|
|
|
|
|
|
<para>If you want to rebuild the documentation, pass the full path to
|
2006-09-29 13:31:56 +03:00
|
|
|
|
the DocBook RELAX NG schemas and to the DocBook XSL stylesheets using
|
|
|
|
|
the
|
|
|
|
|
<option>--with-docbook-rng=<replaceable>path</replaceable></option>
|
2004-10-14 14:54:41 +03:00
|
|
|
|
and
|
|
|
|
|
<option>--with-docbook-xsl=<replaceable>path</replaceable></option>
|
|
|
|
|
options.</para>
|
2003-08-13 12:13:52 +03:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
</section>
|
2003-11-26 16:25:39 +02:00
|
|
|
|
|
2004-01-20 13:49:32 +02:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
</section>
|
2004-01-20 13:49:32 +02:00
|
|
|
|
|
|
|
|
|
|
2009-11-05 11:07:43 +02:00
|
|
|
|
<!-- TODO: should be updated
|
2006-10-04 20:07:58 +03:00
|
|
|
|
<section><title>Upgrading Nix through Nix</title>
|
2006-09-29 14:03:16 +03:00
|
|
|
|
|
|
|
|
|
<para>You can install the latest stable version of Nix through Nix
|
|
|
|
|
itself by subscribing to the channel <link
|
2008-06-09 16:42:13 +03:00
|
|
|
|
xlink:href="http://nixos.org/releases/nix/channels/nix-stable" />,
|
2007-10-31 20:01:56 +02:00
|
|
|
|
or the latest unstable version by subscribing to the channel <link
|
2008-06-09 16:42:13 +03:00
|
|
|
|
xlink:href="http://nixos.org/releases/nix/channels/nix-unstable" />.
|
2006-09-29 14:03:16 +03:00
|
|
|
|
You can also do a <link linkend="sec-one-click">one-click
|
|
|
|
|
installation</link> by clicking on the package links at <link
|
2008-06-09 16:42:13 +03:00
|
|
|
|
xlink:href="http://nixos.org/releases/full-index-nix.html" />.</para>
|
2006-09-29 14:03:16 +03:00
|
|
|
|
|
|
|
|
|
</section>
|
2009-11-05 11:07:43 +02:00
|
|
|
|
-->
|
2006-09-29 14:03:16 +03:00
|
|
|
|
|
|
|
|
|
|
2007-05-17 01:07:39 +03:00
|
|
|
|
<section><title>Security</title>
|
|
|
|
|
|
|
|
|
|
<para>Nix has two basic security models. First, it can be used in
|
|
|
|
|
“single-user mode”, which is similar to what most other package
|
|
|
|
|
management tools do: there is a single user (typically <systemitem
|
|
|
|
|
class="username">root</systemitem>) who performs all package
|
|
|
|
|
management operations. All other users can then use the installed
|
|
|
|
|
packages, but they cannot perform package management operations
|
|
|
|
|
themselves.</para>
|
|
|
|
|
|
|
|
|
|
<para>Alternatively, you can configure Nix in “multi-user mode”. In
|
|
|
|
|
this model, all users can perform package management operations — for
|
|
|
|
|
instance, every user can install software without requiring root
|
|
|
|
|
privileges. Nix ensures that this is secure. For instance, it’s not
|
|
|
|
|
possible for one user to overwrite a package used by another user with
|
|
|
|
|
a Trojan horse.</para>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<section><title>Single-user mode</title>
|
|
|
|
|
|
|
|
|
|
<para>In single-user mode, all Nix operations that access the database
|
|
|
|
|
in <filename><replaceable>prefix</replaceable>/var/nix/db</filename>
|
|
|
|
|
or modify the Nix store in
|
|
|
|
|
<filename><replaceable>prefix</replaceable>/store</filename> must be
|
|
|
|
|
performed under the user ID that owns those directories. This is
|
|
|
|
|
typically <systemitem class="username">root</systemitem>. (If you
|
|
|
|
|
install from RPM packages, that’s in fact the default ownership.)
|
|
|
|
|
However, on single-user machines, it is often convenient to
|
|
|
|
|
<command>chown</command> those directories to your normal user account
|
|
|
|
|
so that you don’t have to <command>su</command> to <systemitem
|
|
|
|
|
class="username">root</systemitem> all the time.</para>
|
2004-10-31 19:08:48 +02:00
|
|
|
|
|
2007-05-17 01:07:39 +03:00
|
|
|
|
</section>
|
2004-10-31 19:08:48 +02:00
|
|
|
|
|
|
|
|
|
|
2007-10-31 20:01:56 +02:00
|
|
|
|
<section xml:id="ssec-multi-user"><title>Multi-user mode</title>
|
2007-01-15 16:50:25 +02:00
|
|
|
|
|
2007-10-31 20:01:56 +02:00
|
|
|
|
<para>To allow a Nix store to be shared safely among multiple users,
|
|
|
|
|
it is important that users are not able to run builders that modify
|
|
|
|
|
the Nix store or database in arbitrary ways, or that interfere with
|
|
|
|
|
builds started by other users. If they could do so, they could
|
|
|
|
|
install a Trojan horse in some package and compromise the accounts of
|
|
|
|
|
other users.</para>
|
2007-01-15 16:50:25 +02:00
|
|
|
|
|
2007-10-31 20:01:56 +02:00
|
|
|
|
<para>To prevent this, the Nix store and database are owned by some
|
|
|
|
|
privileged user (usually <literal>root</literal>) and builders are
|
|
|
|
|
executed under special user accounts (usually named
|
|
|
|
|
<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.). When a
|
|
|
|
|
unprivileged user runs a Nix command, actions that operate on the Nix
|
|
|
|
|
store (such as builds) are forwarded to a <emphasis>Nix
|
|
|
|
|
daemon</emphasis> running under the owner of the Nix store/database
|
|
|
|
|
that performs the operation.</para>
|
2007-01-15 16:50:25 +02:00
|
|
|
|
|
2007-05-17 01:07:39 +03:00
|
|
|
|
<note><para>Multi-user mode has one important limitation: only
|
|
|
|
|
<systemitem class="username">root</systemitem> can run <command
|
|
|
|
|
linkend="sec-nix-pull">nix-pull</command> to register the availability
|
2007-10-31 20:01:56 +02:00
|
|
|
|
of pre-built binaries. However, those registrations are shared by all
|
|
|
|
|
users, so they still get the benefit from <command>nix-pull</command>s
|
|
|
|
|
done by <systemitem class="username">root</systemitem>.</para></note>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<section><title>Setting up the build users</title>
|
|
|
|
|
|
|
|
|
|
<para>The <emphasis>build users</emphasis> are the special UIDs under
|
|
|
|
|
which builds are performed. They should all be members of the
|
|
|
|
|
<emphasis>build users group</emphasis> (usually called
|
|
|
|
|
<literal>nixbld</literal>). This group should have no other members.
|
|
|
|
|
The build users should not be members of any other group.</para>
|
|
|
|
|
|
|
|
|
|
<para>Here is a typical <filename>/etc/group</filename> definition of
|
|
|
|
|
the build users group with 10 build users:
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
nixbld:!:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
In this example the <literal>nixbld</literal> group has UID 30000, but
|
|
|
|
|
of course it can be anything that doesn’t collide with an existing
|
|
|
|
|
group.</para>
|
|
|
|
|
|
|
|
|
|
<para>Here is the corresponding part of
|
|
|
|
|
<filename>/etc/passwd</filename>:
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
nixbld1:x:30001:65534:Nix build user 1:/var/empty:/noshell
|
|
|
|
|
nixbld2:x:30002:65534:Nix build user 2:/var/empty:/noshell
|
|
|
|
|
nixbld3:x:30003:65534:Nix build user 3:/var/empty:/noshell
|
|
|
|
|
...
|
|
|
|
|
nixbld10:x:30010:65534:Nix build user 10:/var/empty:/noshell
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
The home directory of the build users should not exist or should be an
|
|
|
|
|
empty directory to which they do not have write access.</para>
|
|
|
|
|
|
|
|
|
|
<para>The build users should have write access to the Nix store, but
|
|
|
|
|
they should not have the right to delete files. Thus the Nix store’s
|
|
|
|
|
group should be the build users group, and it should have the sticky
|
|
|
|
|
bit turned on (like <filename>/tmp</filename>):
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ chgrp nixbld /nix/store
|
2011-11-02 21:14:54 +02:00
|
|
|
|
$ chmod 1775 /nix/store
|
2007-10-31 20:01:56 +02:00
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>Finally, you should tell Nix to use the build users by
|
|
|
|
|
specifying the build users group in the <link
|
|
|
|
|
linkend="conf-build-users-group"><literal>build-users-group</literal>
|
|
|
|
|
option</link> in the <link linkend="sec-conf-file">Nix configuration
|
2011-11-03 20:47:10 +02:00
|
|
|
|
file</link> (usually <literal>/etc/nix/nix.conf</literal>):
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
build-users-group = nixbld
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<section><title>Nix store/database owned by root</title>
|
|
|
|
|
|
|
|
|
|
<para>The simplest setup is to let <literal>root</literal> own the Nix
|
|
|
|
|
store and database. I.e.,
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ chown -R root /nix/store /nix/var/nix</screen>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
2012-10-04 00:57:20 +03:00
|
|
|
|
<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be
|
2008-11-19 17:20:46 +02:00
|
|
|
|
started as follows (as <literal>root</literal>):
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
|
|
|
|
<screen>
|
2012-10-04 00:57:20 +03:00
|
|
|
|
$ nix-daemon</screen>
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
|
|
|
|
You’ll want to put that line somewhere in your system’s boot
|
|
|
|
|
scripts.</para>
|
|
|
|
|
|
|
|
|
|
<para>To let unprivileged users use the daemon, they should set the
|
|
|
|
|
<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment
|
|
|
|
|
variable</link> to <literal>daemon</literal>. So you should put a
|
|
|
|
|
line like
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
export NIX_REMOTE=daemon</programlisting>
|
|
|
|
|
|
|
|
|
|
into the users’ login scripts.</para>
|
2007-01-15 16:50:25 +02:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
</section>
|
2004-10-31 19:08:48 +02:00
|
|
|
|
|
2007-05-17 01:07:39 +03:00
|
|
|
|
|
2007-10-31 20:01:56 +02:00
|
|
|
|
<section><title>Nix store/database not owned by root</title>
|
|
|
|
|
|
|
|
|
|
<para>It is also possible to let the Nix store and database be owned
|
|
|
|
|
by a non-root user, which should be more secure<footnote><para>Note
|
|
|
|
|
however that even when the Nix daemon runs as root, not
|
|
|
|
|
<emphasis>that</emphasis> much code is executed as root: Nix
|
|
|
|
|
expression evaluation is performed by the calling (unprivileged) user,
|
|
|
|
|
and builds are performed under the special build user accounts. So
|
|
|
|
|
only the code that accesses the database and starts builds is executed
|
|
|
|
|
as <literal>root</literal>.</para></footnote>. Typically, this user
|
|
|
|
|
is a special account called <literal>nix</literal>, but it can be
|
|
|
|
|
named anything. It should own the Nix store and database:
|
|
|
|
|
|
|
|
|
|
<screen>
|
2011-03-15 15:12:59 +02:00
|
|
|
|
$ chown -R nix /nix/store /nix/var/nix</screen>
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
2012-10-04 00:57:20 +03:00
|
|
|
|
and of course <command>nix-daemon</command> should be started under
|
|
|
|
|
that user, e.g.,
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
|
|
|
|
<screen>
|
2012-10-04 00:57:20 +03:00
|
|
|
|
$ su - nix -c "exec /nix/bin/nix-daemon"</screen>
|
2007-10-31 20:01:56 +02:00
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>There is a catch, though: non-<literal>root</literal> users
|
|
|
|
|
cannot start builds under the build user accounts, since the
|
|
|
|
|
<function>setuid</function> system call is obviously privileged. To
|
|
|
|
|
allow a non-<literal>root</literal> Nix daemon to use the build user
|
|
|
|
|
feature, it calls a setuid-root helper program,
|
|
|
|
|
<command>nix-setuid-helper</command>. This program is installed in
|
|
|
|
|
<filename><replaceable>prefix</replaceable>/libexec/nix-setuid-helper</filename>.
|
|
|
|
|
To set the permissions properly (Nix’s <command>make install</command>
|
|
|
|
|
doesn’t do this, since we don’t want to ship setuid-root programs
|
|
|
|
|
out-of-the-box):
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ chown root.root /nix/libexec/nix-setuid-helper
|
|
|
|
|
$ chmod 4755 /nix/libexec/nix-setuid-helper
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
(This example assumes that the Nix binaries are installed in
|
|
|
|
|
<filename>/nix</filename>.)</para>
|
|
|
|
|
|
|
|
|
|
<para>Of course, the <command>nix-setuid-helper</command> command
|
|
|
|
|
should not be usable by just anybody, since then anybody could run
|
|
|
|
|
commands under the Nix build user accounts. For that reason there is
|
|
|
|
|
a configuration file <filename>/etc/nix-setuid.conf</filename> that
|
|
|
|
|
restricts the use of the helper. This file should be a text file
|
|
|
|
|
containing precisely two lines, the first being the Nix daemon user
|
|
|
|
|
and the second being the build users group, e.g.,
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
nix
|
|
|
|
|
nixbld
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
The setuid-helper barfs if it is called by a user other than the one
|
|
|
|
|
specified on the first line, or if it is asked to execute a build
|
|
|
|
|
under a user who is not a member of the group specified on the second
|
|
|
|
|
line. The file <filename>/etc/nix-setuid.conf</filename> must be
|
|
|
|
|
owned by root, and must not be group- or world-writable. The
|
|
|
|
|
setuid-helper barfs if this is not the case.</para>
|
|
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<section><title>Restricting access</title>
|
|
|
|
|
|
|
|
|
|
<para>To limit which users can perform Nix operations, you can use the
|
|
|
|
|
permissions on the directory
|
|
|
|
|
<filename>/nix/var/nix/daemon-socket</filename>. For instance, if you
|
|
|
|
|
want to restrict the use of Nix to the members of a group called
|
|
|
|
|
<literal>nix-users</literal>, do
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ chgrp nix-users /nix/var/nix/daemon-socket
|
|
|
|
|
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
This way, users who are not in the <literal>nix-users</literal> group
|
|
|
|
|
cannot connect to the Unix domain socket
|
|
|
|
|
<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot
|
|
|
|
|
perform Nix operations.</para>
|
|
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</section> <!-- end of multi-user -->
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</section> <!-- end of security -->
|
2004-01-20 13:49:32 +02:00
|
|
|
|
|
2003-11-26 16:25:39 +02:00
|
|
|
|
|
2006-10-04 20:07:58 +03:00
|
|
|
|
<section><title>Using Nix</title>
|
2004-10-14 14:54:41 +03:00
|
|
|
|
|
|
|
|
|
<para>To use Nix, some environment variables should be set. In
|
|
|
|
|
particular, <envar>PATH</envar> should contain the directories
|
|
|
|
|
<filename><replaceable>prefix</replaceable>/bin</filename> and
|
|
|
|
|
<filename>~/.nix-profile/bin</filename>. The first directory contains
|
|
|
|
|
the Nix tools themselves, while <filename>~/.nix-profile</filename> is
|
|
|
|
|
a symbolic link to the current <emphasis>user environment</emphasis>
|
|
|
|
|
(an automatically generated package consisting of symlinks to
|
|
|
|
|
installed packages). The simplest way to set the required environment
|
|
|
|
|
variables is to include the file
|
|
|
|
|
<filename><replaceable>prefix</replaceable>/etc/profile.d/nix.sh</filename>
|
2013-05-29 13:36:56 +03:00
|
|
|
|
in your <filename>~/.profile</filename> (or similar), like this:</para>
|
2004-10-14 14:54:41 +03:00
|
|
|
|
|
|
|
|
|
<screen>
|
2004-11-01 14:02:44 +02:00
|
|
|
|
source <replaceable>prefix</replaceable>/etc/profile.d/nix.sh</screen>
|
2003-11-26 16:25:39 +02:00
|
|
|
|
|
2006-08-21 19:05:11 +03:00
|
|
|
|
</section>
|
2004-10-14 14:54:41 +03:00
|
|
|
|
|
2003-11-26 16:25:39 +02:00
|
|
|
|
|
2003-08-13 12:13:52 +03:00
|
|
|
|
</chapter>
|