From 1f041ac54f43093e4f4df1caa630d491ff51c3f8 Mon Sep 17 00:00:00 2001 From: Andrew Brooks Date: Fri, 2 Sep 2022 18:32:35 -0500 Subject: [PATCH 01/46] Prevent tempdir from being GC-ed before addToStoreFromDump has renamed it This fixes issue 6823 by placing the tempdir used in LocalStore::addToStoreFromDump outside the Nix store, where automatic GC is no longer a concern. --- src/libstore/local-store.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index a272e4301..6abd52683 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -1388,7 +1388,7 @@ StorePath LocalStore::addToStoreFromDump(Source & source0, std::string_view name StringSource dumpSource { dump }; ChainSource bothSource { dumpSource, source }; - auto tempDir = createTempDir(realStoreDir, "add"); + auto tempDir = createTempDir("", "add"); delTempDir = std::make_unique(tempDir); tempPath = tempDir + "/x"; From 27be54ca533933db8c3e0cde4b213abf10dd5237 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 6 Sep 2022 18:27:39 +0200 Subject: [PATCH 02/46] nix develop: Ignore stdenv's $SHELL Stdenv sets this to a bash that doesn't have readline/completion support, so running 'nix (develop|shell)' inside a 'nix develop' gives you a crippled shell. So let's just ignore the derivation's $SHELL. This could break interactive use of build phases that use $SHELL, but they appear to be fairly rare. --- src/nix/develop.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/nix/develop.cc b/src/nix/develop.cc index ba7ba7c25..4de109754 100644 --- a/src/nix/develop.cc +++ b/src/nix/develop.cc @@ -246,6 +246,7 @@ struct Common : InstallableCommand, MixProfile "NIX_LOG_FD", "NIX_REMOTE", "PPID", + "SHELL", "SHELLOPTS", "SSL_CERT_FILE", // FIXME: only want to ignore /no-cert-file.crt "TEMP", From ece12a97d9c7e0024ebddb9e5eb0c919a9efb694 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 6 Sep 2022 19:20:31 +0200 Subject: [PATCH 03/46] lockfile -> lock file for consistency --- src/libexpr/flake/flake.cc | 4 ++-- src/libexpr/flake/lockfile.cc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/libexpr/flake/flake.cc b/src/libexpr/flake/flake.cc index 105e76bc6..119c556ac 100644 --- a/src/libexpr/flake/flake.cc +++ b/src/libexpr/flake/flake.cc @@ -483,12 +483,12 @@ LockedFlake lockFlake( } else if (auto follows = std::get_if<1>(&i.second)) { if (! trustLock) { // It is possible that the flake has changed, - // so we must confirm all the follows that are in the lockfile are also in the flake. + // so we must confirm all the follows that are in the lock file are also in the flake. auto overridePath(inputPath); overridePath.push_back(i.first); auto o = overrides.find(overridePath); // If the override disappeared, we have to refetch the flake, - // since some of the inputs may not be present in the lockfile. + // since some of the inputs may not be present in the lock file. if (o == overrides.end()) { mustRefetch = true; // There's no point populating the rest of the fake inputs, diff --git a/src/libexpr/flake/lockfile.cc b/src/libexpr/flake/lockfile.cc index 60b52d578..629d2e669 100644 --- a/src/libexpr/flake/lockfile.cc +++ b/src/libexpr/flake/lockfile.cc @@ -36,7 +36,7 @@ LockedNode::LockedNode(const nlohmann::json & json) , isFlake(json.find("flake") != json.end() ? (bool) json["flake"] : true) { if (!lockedRef.input.isLocked()) - throw Error("lockfile contains mutable lock '%s'", + throw Error("lock file contains mutable lock '%s'", fetchers::attrsToJSON(lockedRef.input.toAttrs())); } From 84fe75a12a085c6b4b8d4ac65a048f569de1252b Mon Sep 17 00:00:00 2001 From: Andrew Brooks Date: Tue, 6 Sep 2022 17:48:00 -0500 Subject: [PATCH 04/46] Keep created temp dirs inside store, but protect from GC Implements the approach suggested by feedback on PR #6994, where tempdir paths are created in the store (now with an exclusive lock). As part of this work, the currently-broken and unused `createTempDirInStore` function is updated to create an exclusive lock on the temp directory in the store. The GC now makes a non-blocking attempt to lock any store directories that "look like" the temp directories created by this function, and if it can't acquire one, ignores the directory. --- src/libstore/gc.cc | 12 ++++++++++++ src/libstore/local-store.cc | 29 +++++++++++++++++++---------- src/libstore/local-store.hh | 2 +- 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/src/libstore/gc.cc b/src/libstore/gc.cc index 4c1a82279..6cd7efbc9 100644 --- a/src/libstore/gc.cc +++ b/src/libstore/gc.cc @@ -619,6 +619,18 @@ void LocalStore::collectGarbage(const GCOptions & options, GCResults & results) Path path = storeDir + "/" + std::string(baseName); Path realPath = realStoreDir + "/" + std::string(baseName); + /* There may be temp directories in the store that are still in use + by another process. We need to be sure that we can acquire an + exclusive lock before deleting them. */ + AutoCloseFD tmpDirFd; + if (baseName.rfind("add-", 0) == 0) { + tmpDirFd = open(realPath.c_str(), O_RDONLY | O_DIRECTORY); + if (tmpDirFd.get() == -1 || !lockFile(tmpDirFd.get(), ltWrite, false)) { + debug("skipping locked tempdir '%s'", realPath); + return; + } + } + printInfo("deleting '%1%'", path); results.paths.insert(path); diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 6abd52683..5ee451da3 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -1382,13 +1382,15 @@ StorePath LocalStore::addToStoreFromDump(Source & source0, std::string_view name std::unique_ptr delTempDir; Path tempPath; + Path tempDir; + AutoCloseFD tempDirFd; if (!inMemory) { /* Drain what we pulled so far, and then keep on pulling */ StringSource dumpSource { dump }; ChainSource bothSource { dumpSource, source }; - auto tempDir = createTempDir("", "add"); + std::tie(tempDir, tempDirFd) = createTempDirInStore(); delTempDir = std::make_unique(tempDir); tempPath = tempDir + "/x"; @@ -1431,6 +1433,7 @@ StorePath LocalStore::addToStoreFromDump(Source & source0, std::string_view name } else { /* Move the temporary path we restored above. */ moveFile(tempPath, realPath); + tempDirFd.close(); } /* For computing the nar hash. In recursive SHA-256 mode, this @@ -1507,18 +1510,24 @@ StorePath LocalStore::addTextToStore( /* Create a temporary directory in the store that won't be - garbage-collected. */ -Path LocalStore::createTempDirInStore() + garbage-collected until the returned FD is closed. */ +std::pair LocalStore::createTempDirInStore() { - Path tmpDir; + Path tmpDirFn; + AutoCloseFD tmpDirFd; + bool lockedByUs = false; do { /* There is a slight possibility that `tmpDir' gets deleted by - the GC between createTempDir() and addTempRoot(), so repeat - until `tmpDir' exists. */ - tmpDir = createTempDir(realStoreDir); - addTempRoot(parseStorePath(tmpDir)); - } while (!pathExists(tmpDir)); - return tmpDir; + the GC between createTempDir() and when we acquire a lock on it. + We'll repeat until 'tmpDir' exists and we've locked it. */ + tmpDirFn = createTempDir(realStoreDir, "add"); + tmpDirFd = open(tmpDirFn.c_str(), O_RDONLY | O_DIRECTORY); + if (tmpDirFd.get() < 0) { + continue; + } + lockedByUs = lockFile(tmpDirFd.get(), ltWrite, true); + } while (!pathExists(tmpDirFn) || !lockedByUs); + return {tmpDirFn, std::move(tmpDirFd)}; } diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index 70d225be3..bd0ce1fe6 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -256,7 +256,7 @@ private: void findRuntimeRoots(Roots & roots, bool censor); - Path createTempDirInStore(); + std::pair createTempDirInStore(); void checkDerivationOutputs(const StorePath & drvPath, const Derivation & drv); From 7852609999cdcbc056ef47b530dcb253bd2c0697 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Mon, 12 Sep 2022 11:27:25 +0200 Subject: [PATCH 05/46] issue template: add feature label each change should be an improvement, a label for that is redundant. --- .github/ISSUE_TEMPLATE/feature_request.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 392ed30c6..4fe86d5ec 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -2,7 +2,7 @@ name: Feature request about: Suggest an idea for this project title: '' -labels: improvement +labels: feature assignees: '' --- From 565d888e0f6a2c66ee7b10f6fe6a97f79fa51732 Mon Sep 17 00:00:00 2001 From: Andrew Brooks Date: Mon, 12 Sep 2022 11:33:23 -0500 Subject: [PATCH 06/46] Address PR feedback on #6694 --- src/libstore/gc.cc | 5 ++--- src/libstore/local-store.cc | 3 +-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/libstore/gc.cc b/src/libstore/gc.cc index 6cd7efbc9..9ef8972f3 100644 --- a/src/libstore/gc.cc +++ b/src/libstore/gc.cc @@ -622,9 +622,8 @@ void LocalStore::collectGarbage(const GCOptions & options, GCResults & results) /* There may be temp directories in the store that are still in use by another process. We need to be sure that we can acquire an exclusive lock before deleting them. */ - AutoCloseFD tmpDirFd; - if (baseName.rfind("add-", 0) == 0) { - tmpDirFd = open(realPath.c_str(), O_RDONLY | O_DIRECTORY); + if (baseName.find("tmp-", 0) == 0) { + AutoCloseFD tmpDirFd = open(realPath.c_str(), O_RDONLY | O_DIRECTORY); if (tmpDirFd.get() == -1 || !lockFile(tmpDirFd.get(), ltWrite, false)) { debug("skipping locked tempdir '%s'", realPath); return; diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 5ee451da3..0b07cde34 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -1433,7 +1433,6 @@ StorePath LocalStore::addToStoreFromDump(Source & source0, std::string_view name } else { /* Move the temporary path we restored above. */ moveFile(tempPath, realPath); - tempDirFd.close(); } /* For computing the nar hash. In recursive SHA-256 mode, this @@ -1520,7 +1519,7 @@ std::pair LocalStore::createTempDirInStore() /* There is a slight possibility that `tmpDir' gets deleted by the GC between createTempDir() and when we acquire a lock on it. We'll repeat until 'tmpDir' exists and we've locked it. */ - tmpDirFn = createTempDir(realStoreDir, "add"); + tmpDirFn = createTempDir(realStoreDir, "tmp"); tmpDirFd = open(tmpDirFn.c_str(), O_RDONLY | O_DIRECTORY); if (tmpDirFd.get() < 0) { continue; From c6ff33ff5c83a546fc6e82055aa04abfe41011dc Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 13 Sep 2022 15:29:13 +0200 Subject: [PATCH 07/46] RunPager: Stop the progress bar In particular, the progress bar was interfering with 'less' rendering in '--help' (e.g. run 'nix --help' and hit '/' to search). --- src/libmain/shared.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index 52b75f757..c1cf38565 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -4,6 +4,7 @@ #include "gc-store.hh" #include "util.hh" #include "loggers.hh" +#include "progress-bar.hh" #include #include @@ -422,6 +423,8 @@ RunPager::RunPager() if (!pager) pager = getenv("PAGER"); if (pager && ((std::string) pager == "" || (std::string) pager == "cat")) return; + stopProgressBar(); + Pipe toPager; toPager.create(); From d365cced4fadbbc63f0c39902a7091e1a34c34de Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 13 Sep 2022 16:58:32 +0200 Subject: [PATCH 08/46] Trim option descriptions This removes unintended blank lines in Markdown when the description is a multiline string literal. --- src/libutil/args.cc | 6 +++--- src/nix/main.cc | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/libutil/args.cc b/src/libutil/args.cc index 44b63f0f6..753980fd4 100644 --- a/src/libutil/args.cc +++ b/src/libutil/args.cc @@ -216,7 +216,7 @@ nlohmann::json Args::toJSON() if (flag->shortName) j["shortName"] = std::string(1, flag->shortName); if (flag->description != "") - j["description"] = flag->description; + j["description"] = trim(flag->description); j["category"] = flag->category; if (flag->handler.arity != ArityAny) j["arity"] = flag->handler.arity; @@ -237,7 +237,7 @@ nlohmann::json Args::toJSON() } auto res = nlohmann::json::object(); - res["description"] = description(); + res["description"] = trim(description()); res["flags"] = std::move(flags); res["args"] = std::move(args); auto s = doc(); @@ -379,7 +379,7 @@ nlohmann::json MultiCommand::toJSON() auto j = command->toJSON(); auto cat = nlohmann::json::object(); cat["id"] = command->category(); - cat["description"] = categories[command->category()]; + cat["description"] = trim(categories[command->category()]); j["category"] = std::move(cat); cmds[name] = std::move(j); } diff --git a/src/nix/main.cc b/src/nix/main.cc index f434e9655..e0155cd5d 100644 --- a/src/nix/main.cc +++ b/src/nix/main.cc @@ -325,7 +325,7 @@ void mainWrapped(int argc, char * * argv) std::cout << "attrs\n"; break; } for (auto & s : *completions) - std::cout << s.completion << "\t" << s.description << "\n"; + std::cout << s.completion << "\t" << trim(s.description) << "\n"; } }); From 8ebdbeb2574ab3a8b6dbd9826451d9f26ca5ad3e Mon Sep 17 00:00:00 2001 From: Ana Hobden Date: Wed, 7 Sep 2022 11:58:25 -0700 Subject: [PATCH 09/46] Add fish suport to installer Before this patch, installing Nix using the Fish shell did not work because Fish wasn't configured to add Nix to the PATH. Some options in #1512 offered workarounds, but they typically involve extra plugins or packages. This patch adds native, out-of-the-box support for the Fish shell. Note that Fish supports a `conf.d` directory, which is intended for exactly use cases like this: software projects distributing shell snippets. This patch takes advantage of it. The installer doesn't append any Nix loader behavior to any Fish config file. Because of that, the uninstall process is smooth and a reinstall obliterates the existing nix.fish files that we place instead of bothering the user with a backup / manual removal. Both single-user and multi-user cases are covered. It has been tested on Ubuntu, and a Mac with MacPorts, homebrew, and the Fish installer pkg. Closes #1512 Co-authored-by: Graham Christensen --- .gitignore | 2 ++ scripts/install-multi-user.sh | 47 +++++++++++++++++++++++++++++ scripts/install-nix-from-closure.sh | 29 +++++++++++++++--- scripts/local.mk | 2 ++ scripts/nix-profile-daemon.fish.in | 35 +++++++++++++++++++++ scripts/nix-profile.fish.in | 35 +++++++++++++++++++++ scripts/nix-profile.sh.in | 1 - 7 files changed, 145 insertions(+), 6 deletions(-) create mode 100644 scripts/nix-profile-daemon.fish.in create mode 100644 scripts/nix-profile.fish.in diff --git a/.gitignore b/.gitignore index 0c1b89ace..8e0db013f 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,8 @@ perl/Makefile.config # /scripts/ /scripts/nix-profile.sh /scripts/nix-profile-daemon.sh +/scripts/nix-profile.fish +/scripts/nix-profile-daemon.fish # /src/libexpr/ /src/libexpr/lexer-tab.cc diff --git a/scripts/install-multi-user.sh b/scripts/install-multi-user.sh index 9a990275c..a39339050 100644 --- a/scripts/install-multi-user.sh +++ b/scripts/install-multi-user.sh @@ -37,6 +37,19 @@ readonly PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc" "/e readonly PROFILE_BACKUP_SUFFIX=".backup-before-nix" readonly PROFILE_NIX_FILE="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.sh" +# Fish has different syntax than zsh/bash, treat it separate +readonly PROFILE_FISH_SUFFIX="conf.d/nix.fish" +readonly PROFILE_FISH_PREFIXES=( + # each of these are common values of $__fish_sysconf_dir, + # under which Fish will look for a file named + # $PROFILE_FISH_SUFFIX. + "/etc/fish" # standard + "/usr/local/etc/fish" # their installer .pkg for macOS + "/opt/homebrew/etc/fish" # homebrew + "/opt/local/etc/fish" # macports +) +readonly PROFILE_NIX_FILE_FISH="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.fish" + readonly NIX_INSTALLED_NIX="@nix@" readonly NIX_INSTALLED_CACERT="@cacert@" #readonly NIX_INSTALLED_NIX="/nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6" @@ -828,6 +841,19 @@ fi EOF } +# Fish has differing syntax +fish_source_lines() { + cat <&2 - printf '\nif [ -e %s ]; then . %s; fi # added by Nix installer\n' "$p" "$p" >> "$fn" + printf '\nif [ -e %s ]; then . %s; fi # added by Nix installer\n' "$p_sh" "$p_sh" >> "$fn" fi added=1 + p=${p_sh} break fi done for i in .zshenv .zshrc; do fn="$HOME/$i" if [ -w "$fn" ]; then - if ! grep -q "$p" "$fn"; then + if ! grep -q "$p_sh" "$fn"; then echo "modifying $fn..." >&2 - printf '\nif [ -e %s ]; then . %s; fi # added by Nix installer\n' "$p" "$p" >> "$fn" + printf '\nif [ -e %s ]; then . %s; fi # added by Nix installer\n' "$p_sh" "$p_sh" >> "$fn" fi added=1 + p=${p_sh} break fi done + + if [ -d "$HOME/.config/fish" ]; then + fishdir=$HOME/.config/fish/conf.d + if [ ! -d "$fishdir" ]; then + mkdir -p "$fishdir" + fi + + fn="$fishdir/nix.fish" + echo "placing $fn..." >&2 + printf '\nif test -e %s; . %s; end # added by Nix installer\n' "$p_fish" "$p_fish" > "$fn" + added=1 + p=${p_fish} + fi +else + p=${p_sh} fi if [ -z "$added" ]; then diff --git a/scripts/local.mk b/scripts/local.mk index b8477178e..46255e432 100644 --- a/scripts/local.mk +++ b/scripts/local.mk @@ -6,6 +6,8 @@ noinst-scripts += $(nix_noinst_scripts) profiledir = $(sysconfdir)/profile.d $(eval $(call install-file-as, $(d)/nix-profile.sh, $(profiledir)/nix.sh, 0644)) +$(eval $(call install-file-as, $(d)/nix-profile.fish, $(profiledir)/nix.fish, 0644)) $(eval $(call install-file-as, $(d)/nix-profile-daemon.sh, $(profiledir)/nix-daemon.sh, 0644)) +$(eval $(call install-file-as, $(d)/nix-profile-daemon.fish, $(profiledir)/nix-daemon.fish, 0644)) clean-files += $(nix_noinst_scripts) diff --git a/scripts/nix-profile-daemon.fish.in b/scripts/nix-profile-daemon.fish.in new file mode 100644 index 000000000..56d851a9c --- /dev/null +++ b/scripts/nix-profile-daemon.fish.in @@ -0,0 +1,35 @@ +# Only execute this file once per shell. +if test -n "$__ETC_PROFILE_NIX_SOURCED" + return +end + +set __ETC_PROFILE_NIX_SOURCED 1 + +set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile" + +# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work. +if test -n "$NIX_SSH_CERT_FILE" + : # Allow users to override the NIX_SSL_CERT_FILE +else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch + set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt +else if test -e /etc/ssl/ca-bundle.pem # openSUSE Tumbleweed + set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem +else if test -e /etc/ssl/certs/ca-bundle.crt # Old NixOS + set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt +else if test -e /etc/pki/tls/certs/ca-bundle.crt # Fedora, CentOS + set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt +else if test -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" # fall back to cacert in Nix profile + set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" +else if test -e "$NIX_LINK/etc/ca-bundle.crt" # old cacert in Nix profile + set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt" +else + # Fall back to what is in the nix profiles, favouring whatever is defined last. + for i in $NIX_PROFILES + if test -e "$i/etc/ssl/certs/ca-bundle.crt" + set --export NIX_SSL_CERT_FILE "$i/etc/ssl/certs/ca-bundle.crt" + end + end +end + +fish_add_path --prepend --global "@localstatedir@/nix/profiles/default/bin" +fish_add_path --prepend --global "$HOME/.nix-profile/bin" diff --git a/scripts/nix-profile.fish.in b/scripts/nix-profile.fish.in new file mode 100644 index 000000000..59d247771 --- /dev/null +++ b/scripts/nix-profile.fish.in @@ -0,0 +1,35 @@ +if test -n "$HOME" && test -n "$USER" + + # Set up the per-user profile. + + set NIX_LINK $HOME/.nix-profile + + # Set up environment. + # This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix + set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile" + + # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work. + if test -n "$NIX_SSH_CERT_FILE" + : # Allow users to override the NIX_SSL_CERT_FILE + else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch + set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt + else if test -e /etc/ssl/ca-bundle.pem # openSUSE Tumbleweed + set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem + else if test -e /etc/ssl/certs/ca-bundle.crt # Old NixOS + set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt + else if test -e /etc/pki/tls/certs/ca-bundle.crt # Fedora, CentOS + set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt + else if test -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" # fall back to cacert in Nix profile + set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" + else if test -e "$NIX_LINK/etc/ca-bundle.crt" # old cacert in Nix profile + set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt" + end + + # Only use MANPATH if it is already set. In general `man` will just simply + # pick up `.nix-profile/share/man` because is it close to `.nix-profile/bin` + # which is in the $PATH. For more info, run `manpath -d`. + set --export --prepend --path MANPATH "$NIX_LINK/share/man" + + fish_add_path --prepend --global "$NIX_LINK/bin" + set --erase NIX_LINK +end diff --git a/scripts/nix-profile.sh.in b/scripts/nix-profile.sh.in index 45cbcbe74..5636085d4 100644 --- a/scripts/nix-profile.sh.in +++ b/scripts/nix-profile.sh.in @@ -1,7 +1,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then # Set up the per-user profile. - # This part should be kept in sync with nixpkgs:nixos/modules/programs/shell.nix NIX_LINK=$HOME/.nix-profile From 7194c87dce39d89868b3bc25790fefb56f7fefae Mon Sep 17 00:00:00 2001 From: Ana Hobden Date: Mon, 12 Sep 2022 09:46:06 -0700 Subject: [PATCH 10/46] Add installer_test matrix for shells Signed-off-by: Ana Hobden --- .github/workflows/ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86b5dfd2e..628d1d192 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,14 @@ jobs: with: install_url: '${{needs.installer.outputs.installerURL}}' install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve" - - run: nix-instantiate -E 'builtins.currentTime' --eval + - run: sudo apt install fish zsh + if: matrix.os == 'ubuntu-latest' + - run: brew install fish + if: matrix.os == 'macos-latest' + - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval" + - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval" + - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval" + - run: exec fish -c "nix-instantiate -E 'builtins.currentTime' --eval" docker_push_image: needs: [check_secrets, tests] From fae3b4fe8abc2b307a583e396a24d7899bb21451 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 14 Sep 2022 15:40:43 +0200 Subject: [PATCH 11/46] Add an installer test This runs the installer in a QEMU VM. Unlike the old installer test that ran inside a declaratively built RedHat/Debian image, this uses an image from Vagrant. --- flake.nix | 5 + tests/installer/default.nix | 136 +++++++++++++++++++++++++++ tests/installer/vagrant_insecure_key | 27 ++++++ 3 files changed, 168 insertions(+) create mode 100644 tests/installer/default.nix create mode 100644 tests/installer/vagrant_insecure_key diff --git a/flake.nix b/flake.nix index cdb81179a..ec64719d1 100644 --- a/flake.nix +++ b/flake.nix @@ -546,6 +546,11 @@ # againstLatestStable = testNixVersions pkgs pkgs.nix pkgs.nixStable; } "touch $out"); + installerTests = import ./tests/installer { + binaryTarballs = self.hydraJobs.binaryTarball; + inherit nixpkgsFor; + }; + }; checks = forAllSystems (system: { diff --git a/tests/installer/default.nix b/tests/installer/default.nix new file mode 100644 index 000000000..39911aeb2 --- /dev/null +++ b/tests/installer/default.nix @@ -0,0 +1,136 @@ +{ binaryTarballs +, nixpkgsFor +}: + +let + + installScripts = { + install-default = { + script = '' + set -eux + + tar -xf ./nix.tar.xz + mv ./nix-* nix + ./nix/install --no-channel-add + ''; + }; + + install-force-no-daemon = { + script = '' + set -eux + + tar -xf ./nix.tar.xz + mv ./nix-* nix + ./nix/install --no-daemon + ''; + }; + + install-force-daemon = { + script = '' + set -eux + + tar -xf ./nix.tar.xz + mv ./nix-* nix + ./nix/install --daemon + ''; + }; + }; + + images = { + + "ubuntu-14-04" = { + image = import { + url = https://app.vagrantup.com/ubuntu/boxes/trusty64/versions/20190514.0.0/providers/virtualbox.box; + hash = "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8="; + }; + rootDisk = "box-disk1.vmdk"; + system = "x86_64-linux"; + }; + + "ubuntu-16-04" = { + image = import { + url = https://app.vagrantup.com/ubuntu/boxes/xenial64/versions/20211001.0.0/providers/virtualbox.box; + hash = "sha256-JCc0wd9vaSzCU8coByVtb/oDTAXYBPnORwEShS4oj4U="; + }; + rootDisk = "ubuntu-xenial-16.04-cloudimg.vmdk"; + system = "x86_64-linux"; + }; + + "ubuntu-22-10" = { + image = import { + url = https://app.vagrantup.com/ubuntu/boxes/kinetic64/versions/20220910.0.0/providers/virtualbox.box; + hash = "sha256-/IXr+Apyx2dqX6Gj4SoNtQ/5v1eKKopwzFgozAq6GFY="; + }; + rootDisk = "ubuntu-kinetic-22.10-cloudimg.vmdk"; + system = "x86_64-linux"; + }; + + }; + + makeTest = imageName: testName: + let image = images.${imageName}; in + with nixpkgsFor.${image.system}; + runCommand + "installer-test-${imageName}-${testName}" + { buildInputs = [ qemu_kvm openssh ]; + image = image.image; + installScript = installScripts.${testName}.script; + binaryTarball = binaryTarballs.${system}; + } + '' + echo "Unpacking Vagrant box..." + tar xvf $image + + qemu-img create -b ./${image.rootDisk} -F vmdk -f qcow2 ./disk.qcow2 + + echo "Starting qemu..." + qemu-kvm -m 4096 -nographic \ + -drive id=disk1,file=./disk.qcow2,if=virtio \ + -netdev user,id=net0,restrict=yes,hostfwd=tcp::20022-:22 -device virtio-net-pci,netdev=net0 & + qemu_pid=$! + trap "kill $qemu_pid" EXIT + + if ! [ -e ./vagrant_insecure_key ]; then + cp ${./vagrant_insecure_key} vagrant_insecure_key + fi + + chmod 0400 ./vagrant_insecure_key + + ssh_opts="-o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -i ./vagrant_insecure_key" + ssh="ssh -p 20022 -q $ssh_opts vagrant@localhost" + + echo "Waiting for SSH..." + for ((i = 0; i < 120; i++)); do + echo "[ssh] Trying to connect..." + if $ssh -- true; then + echo "[ssh] Connected!" + break + fi + if ! kill -0 $qemu_pid; then + echo "qemu died unexpectedly" + exit 1 + fi + sleep 1 + done + + echo "Copying installer..." + scp -P 20022 $ssh_opts $binaryTarball/nix-*.tar.xz vagrant@localhost:nix.tar.xz + + echo "Running installer..." + $ssh "$installScript" + + echo "Testing Nix installation..." + # FIXME: should update ~/.bashrc. + $ssh "source ~/.profile; nix-env --version" + + echo "Done!" + touch $out + ''; + +in + +{ + ubuntu-14-04.install-default = makeTest "ubuntu-14-04" "install-default"; + #ubuntu-16-04.install-default = makeTest "ubuntu-16-04" "install-default"; + #ubuntu-22-10.install-default = makeTest "ubuntu-22-10" "install-default"; +} diff --git a/tests/installer/vagrant_insecure_key b/tests/installer/vagrant_insecure_key new file mode 100644 index 000000000..7d6a08390 --- /dev/null +++ b/tests/installer/vagrant_insecure_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzI +w+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoP +kcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2 +hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NO +Td0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcW +yLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQIBIwKCAQEA4iqWPJXtzZA68mKd +ELs4jJsdyky+ewdZeNds5tjcnHU5zUYE25K+ffJED9qUWICcLZDc81TGWjHyAqD1 +Bw7XpgUwFgeUJwUlzQurAv+/ySnxiwuaGJfhFM1CaQHzfXphgVml+fZUvnJUTvzf +TK2Lg6EdbUE9TarUlBf/xPfuEhMSlIE5keb/Zz3/LUlRg8yDqz5w+QWVJ4utnKnK +iqwZN0mwpwU7YSyJhlT4YV1F3n4YjLswM5wJs2oqm0jssQu/BT0tyEXNDYBLEF4A +sClaWuSJ2kjq7KhrrYXzagqhnSei9ODYFShJu8UWVec3Ihb5ZXlzO6vdNQ1J9Xsf +4m+2ywKBgQD6qFxx/Rv9CNN96l/4rb14HKirC2o/orApiHmHDsURs5rUKDx0f9iP +cXN7S1uePXuJRK/5hsubaOCx3Owd2u9gD6Oq0CsMkE4CUSiJcYrMANtx54cGH7Rk +EjFZxK8xAv1ldELEyxrFqkbE4BKd8QOt414qjvTGyAK+OLD3M2QdCQKBgQDtx8pN +CAxR7yhHbIWT1AH66+XWN8bXq7l3RO/ukeaci98JfkbkxURZhtxV/HHuvUhnPLdX +3TwygPBYZFNo4pzVEhzWoTtnEtrFueKxyc3+LjZpuo+mBlQ6ORtfgkr9gBVphXZG +YEzkCD3lVdl8L4cw9BVpKrJCs1c5taGjDgdInQKBgHm/fVvv96bJxc9x1tffXAcj +3OVdUN0UgXNCSaf/3A/phbeBQe9xS+3mpc4r6qvx+iy69mNBeNZ0xOitIjpjBo2+ +dBEjSBwLk5q5tJqHmy/jKMJL4n9ROlx93XS+njxgibTvU6Fp9w+NOFD/HvxB3Tcz +6+jJF85D5BNAG3DBMKBjAoGBAOAxZvgsKN+JuENXsST7F89Tck2iTcQIT8g5rwWC +P9Vt74yboe2kDT531w8+egz7nAmRBKNM751U/95P9t88EDacDI/Z2OwnuFQHCPDF +llYOUI+SpLJ6/vURRbHSnnn8a/XG+nzedGH5JGqEJNQsz+xT2axM0/W/CRknmGaJ +kda/AoGANWrLCz708y7VYgAtW2Uf1DPOIYMdvo6fxIB5i9ZfISgcJ/bbCUkFrhoH ++vq/5CIWxCPp0f85R4qxxQ5ihxJ0YDQT9Jpx4TMss4PSavPaBH3RXow5Ohe+bYoQ +NE5OgEXk2wVfZczCZpigBKbKZHNYcelXtTt/nP3rsCuGcM4h53s= +-----END RSA PRIVATE KEY----- From 0a8e666dd6d18ede4b5cd648e19d5950ee19f095 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 14 Sep 2022 18:40:16 +0200 Subject: [PATCH 12/46] Add Fedora 36 --- tests/installer/default.nix | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 39911aeb2..ab3ef62f0 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -65,6 +65,16 @@ let system = "x86_64-linux"; }; + + "fedora-36" = { + image = import { + url = https://app.vagrantup.com/generic/boxes/fedora36/versions/4.1.12/providers/libvirt.box; + hash = "sha256-rxPgnDnFkTDwvdqn2CV3ZUo3re9AdPtSZ9SvOHNvaks="; + }; + rootDisk = "box.img"; + system = "x86_64-linux"; + }; + }; makeTest = imageName: testName: @@ -78,10 +88,12 @@ let binaryTarball = binaryTarballs.${system}; } '' - echo "Unpacking Vagrant box..." + echo "Unpacking Vagrant box $image..." tar xvf $image - qemu-img create -b ./${image.rootDisk} -F vmdk -f qcow2 ./disk.qcow2 + image_type=$(qemu-img info ${image.rootDisk} | sed 's/file format: \(.*\)/\1/; t; d') + + qemu-img create -b ./${image.rootDisk} -F "$image_type" -f qcow2 ./disk.qcow2 echo "Starting qemu..." qemu-kvm -m 4096 -nographic \ @@ -121,7 +133,7 @@ let echo "Testing Nix installation..." # FIXME: should update ~/.bashrc. - $ssh "source ~/.profile; nix-env --version" + $ssh "source ~/.bash_profile || source ~/.bash_login || source ~/.profile || true; nix-env --version" echo "Done!" touch $out @@ -133,4 +145,5 @@ in ubuntu-14-04.install-default = makeTest "ubuntu-14-04" "install-default"; #ubuntu-16-04.install-default = makeTest "ubuntu-16-04" "install-default"; #ubuntu-22-10.install-default = makeTest "ubuntu-22-10" "install-default"; + fedora-36.install-default = makeTest "fedora-36" "install-default"; } From 906c947ee8f2478d27e5eda649f44716e952d8a6 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 14 Sep 2022 18:53:30 +0200 Subject: [PATCH 13/46] Enable daemon installation test on Fedora --- tests/installer/default.nix | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index ab3ef62f0..8b6bde73f 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -7,8 +7,6 @@ let installScripts = { install-default = { script = '' - set -eux - tar -xf ./nix.tar.xz mv ./nix-* nix ./nix/install --no-channel-add @@ -17,8 +15,6 @@ let install-force-no-daemon = { script = '' - set -eux - tar -xf ./nix.tar.xz mv ./nix-* nix ./nix/install --no-daemon @@ -27,15 +23,15 @@ let install-force-daemon = { script = '' - set -eux - tar -xf ./nix.tar.xz mv ./nix-* nix - ./nix/install --daemon + ./nix/install --daemon --no-channel-add ''; }; }; + disableSELinux = "sudo setenforce 0"; + images = { "ubuntu-14-04" = { @@ -65,7 +61,6 @@ let system = "x86_64-linux"; }; - "fedora-36" = { image = import { url = https://app.vagrantup.com/generic/boxes/fedora36/versions/4.1.12/providers/libvirt.box; @@ -73,6 +68,7 @@ let }; rootDisk = "box.img"; system = "x86_64-linux"; + postBoot = disableSELinux; }; }; @@ -84,6 +80,7 @@ let "installer-test-${imageName}-${testName}" { buildInputs = [ qemu_kvm openssh ]; image = image.image; + postBoot = image.postBoot or ""; installScript = installScripts.${testName}.script; binaryTarball = binaryTarballs.${system}; } @@ -125,15 +122,25 @@ let sleep 1 done + if [[ -n $postBoot ]]; then + echo "Running post-boot commands..." + $ssh "set -ex; $postBoot" + fi + echo "Copying installer..." scp -P 20022 $ssh_opts $binaryTarball/nix-*.tar.xz vagrant@localhost:nix.tar.xz echo "Running installer..." - $ssh "$installScript" + $ssh "set -eux; $installScript" echo "Testing Nix installation..." # FIXME: should update ~/.bashrc. - $ssh "source ~/.bash_profile || source ~/.bash_login || source ~/.profile || true; nix-env --version" + $ssh " + set -ex + source ~/.bash_profile || source ~/.bash_login || source ~/.profile || true + nix-env --version + nix --extra-experimental-features nix-command store ping + " echo "Done!" touch $out @@ -146,4 +153,5 @@ in #ubuntu-16-04.install-default = makeTest "ubuntu-16-04" "install-default"; #ubuntu-22-10.install-default = makeTest "ubuntu-22-10" "install-default"; fedora-36.install-default = makeTest "fedora-36" "install-default"; + fedora-36.install-force-daemon = makeTest "fedora-36" "install-force-daemon"; } From cc6e31231547fc64c89c6682316f2bab03db6879 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 14 Sep 2022 19:44:41 +0200 Subject: [PATCH 14/46] Get Ubuntu 22.10 to work --- tests/installer/default.nix | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 8b6bde73f..9b2a34bdb 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -85,6 +85,8 @@ let binaryTarball = binaryTarballs.${system}; } '' + shopt -s nullglob + echo "Unpacking Vagrant box $image..." tar xvf $image @@ -92,10 +94,19 @@ let qemu-img create -b ./${image.rootDisk} -F "$image_type" -f qcow2 ./disk.qcow2 + extra_qemu_opts= + + # Add the config disk, required by the Ubuntu images. + config_drive=$(echo *configdrive.vmdk || true) + if [[ -n $config_drive ]]; then + extra_qemu_opts+=" -drive id=disk2,file=$config_drive,if=virtio" + fi + echo "Starting qemu..." qemu-kvm -m 4096 -nographic \ -drive id=disk1,file=./disk.qcow2,if=virtio \ - -netdev user,id=net0,restrict=yes,hostfwd=tcp::20022-:22 -device virtio-net-pci,netdev=net0 & + -netdev user,id=net0,restrict=yes,hostfwd=tcp::20022-:22 -device virtio-net-pci,netdev=net0 \ + $extra_qemu_opts & qemu_pid=$! trap "kill $qemu_pid" EXIT @@ -137,7 +148,13 @@ let # FIXME: should update ~/.bashrc. $ssh " set -ex - source ~/.bash_profile || source ~/.bash_login || source ~/.profile || true + + # FIXME: get rid of this; ideally ssh should just work. + source ~/.bash_profile || true + source ~/.bash_login || true + source ~/.profile || true + source /etc/bashrc || true + nix-env --version nix --extra-experimental-features nix-command store ping " @@ -151,7 +168,8 @@ in { ubuntu-14-04.install-default = makeTest "ubuntu-14-04" "install-default"; #ubuntu-16-04.install-default = makeTest "ubuntu-16-04" "install-default"; - #ubuntu-22-10.install-default = makeTest "ubuntu-22-10" "install-default"; + ubuntu-22-10.install-default = makeTest "ubuntu-22-10" "install-default"; + ubuntu-22-10.install-force-daemon = makeTest "ubuntu-22-10" "install-force-daemon"; fedora-36.install-default = makeTest "fedora-36" "install-default"; fedora-36.install-force-daemon = makeTest "fedora-36" "install-force-daemon"; } From 02af02854d41b390957300bac778139bc1c6b5c2 Mon Sep 17 00:00:00 2001 From: Matthew Kenigsberg Date: Wed, 14 Sep 2022 15:35:56 -0600 Subject: [PATCH 15/46] dockerImage: fix root shell Currently root's shell is set to a path that does not exist; this change sets it to the correct path to bash --- docker.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker.nix b/docker.nix index e95caf274..bb2b4e7ff 100644 --- a/docker.nix +++ b/docker.nix @@ -33,7 +33,7 @@ let root = { uid = 0; - shell = "/bin/bash"; + shell = "${pkgs.bashInteractive}/bin/bash"; home = "/root"; gid = 0; }; From fe958a682d293dec5f27d0c161833b453370d755 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 11:42:10 +0200 Subject: [PATCH 16/46] Test building --- tests/installer/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 9b2a34bdb..d0707018f 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -146,7 +146,7 @@ let echo "Testing Nix installation..." # FIXME: should update ~/.bashrc. - $ssh " + $ssh < \$out"]; }') + [[ \$(cat \$out) = foobar ]] + EOF echo "Done!" touch $out From 29aaec1e593f1837a73779f243ed0ec4220f7ea8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 13:15:26 +0200 Subject: [PATCH 17/46] Make cross product of images and tests --- tests/installer/default.nix | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index d0707018f..72ad764cc 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -168,11 +168,9 @@ let in -{ - ubuntu-14-04.install-default = makeTest "ubuntu-14-04" "install-default"; - #ubuntu-16-04.install-default = makeTest "ubuntu-16-04" "install-default"; - ubuntu-22-10.install-default = makeTest "ubuntu-22-10" "install-default"; - ubuntu-22-10.install-force-daemon = makeTest "ubuntu-22-10" "install-force-daemon"; - fedora-36.install-default = makeTest "fedora-36" "install-default"; - fedora-36.install-force-daemon = makeTest "fedora-36" "install-force-daemon"; -} +builtins.mapAttrs (imageName: image: + { ${image.system} = builtins.mapAttrs (testName: test: + makeTest imageName testName + ) installScripts; + } +) images From 5c8cdb9b60e0e8d24458a15577e4be3aaa16b600 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 13:19:46 +0200 Subject: [PATCH 18/46] Add Ubuntu 22.04 LTS --- tests/installer/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 72ad764cc..17b0fd4ea 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -52,6 +52,15 @@ let system = "x86_64-linux"; }; + "ubuntu-22-04" = { + image = import { + url = https://app.vagrantup.com/generic/boxes/ubuntu2204/versions/4.1.12/providers/libvirt.box; + hash = "sha256-HNll0Qikw/xGIcogni5lz01vUv+R3o8xowP2EtqjuUQ="; + }; + rootDisk = "box.img"; + system = "x86_64-linux"; + }; + "ubuntu-22-10" = { image = import { url = https://app.vagrantup.com/ubuntu/boxes/kinetic64/versions/20220910.0.0/providers/virtualbox.box; From ef714aa8a566bbdb30919ffd45b8a1fd8e2bc484 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 13:25:26 +0200 Subject: [PATCH 19/46] Remove pre-release Ubuntu 22.10 --- tests/installer/default.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 17b0fd4ea..a2cbbcbb8 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -61,15 +61,6 @@ let system = "x86_64-linux"; }; - "ubuntu-22-10" = { - image = import { - url = https://app.vagrantup.com/ubuntu/boxes/kinetic64/versions/20220910.0.0/providers/virtualbox.box; - hash = "sha256-/IXr+Apyx2dqX6Gj4SoNtQ/5v1eKKopwzFgozAq6GFY="; - }; - rootDisk = "ubuntu-kinetic-22.10-cloudimg.vmdk"; - system = "x86_64-linux"; - }; - "fedora-36" = { image = import { url = https://app.vagrantup.com/generic/boxes/fedora36/versions/4.1.12/providers/libvirt.box; From 503f31e2a0de3192ccc572cc17a6dd02863ebec8 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 13:28:03 +0200 Subject: [PATCH 20/46] Use libvirt image --- tests/installer/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index a2cbbcbb8..39e3c8d26 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -45,10 +45,10 @@ let "ubuntu-16-04" = { image = import { - url = https://app.vagrantup.com/ubuntu/boxes/xenial64/versions/20211001.0.0/providers/virtualbox.box; - hash = "sha256-JCc0wd9vaSzCU8coByVtb/oDTAXYBPnORwEShS4oj4U="; + url = https://app.vagrantup.com/generic/boxes/ubuntu1604/versions/4.1.12/providers/libvirt.box; + hash = "sha256-lO4oYQR2tCh5auxAYe6bPOgEqOgv3Y3GC1QM1tEEEU8="; }; - rootDisk = "ubuntu-xenial-16.04-cloudimg.vmdk"; + rootDisk = "box.img"; system = "x86_64-linux"; }; From a96ad2ab25ea054b9d1c473ce2f692bd1f83402b Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 14:51:10 +0200 Subject: [PATCH 21/46] Add RHEL 7/8 --- tests/installer/default.nix | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 39e3c8d26..d31e2a949 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -71,6 +71,38 @@ let postBoot = disableSELinux; }; + # Currently fails with 'error while loading shared libraries: + # libsodium.so.23: cannot stat shared object: Invalid argument'. + /* + "rhel-6" = { + image = import { + url = https://app.vagrantup.com/generic/boxes/rhel6/versions/4.1.12/providers/libvirt.box; + hash = "sha256-QwzbvRoRRGqUCQptM7X/InRWFSP2sqwRt2HaaO6zBGM="; + }; + rootDisk = "box.img"; + system = "x86_64-linux"; + }; + */ + + "rhel-7" = { + image = import { + url = https://app.vagrantup.com/generic/boxes/rhel7/versions/4.1.12/providers/libvirt.box; + hash = "sha256-b4afnqKCO9oWXgYHb9DeQ2berSwOjS27rSd9TxXDc/U="; + }; + rootDisk = "box.img"; + system = "x86_64-linux"; + }; + + "rhel-8" = { + image = import { + url = https://app.vagrantup.com/generic/boxes/rhel8/versions/4.1.12/providers/libvirt.box; + hash = "sha256-zFOPjSputy1dPgrQRixBXmlyN88cAKjJ21VvjSWUCUY="; + }; + rootDisk = "box.img"; + system = "x86_64-linux"; + postBoot = disableSELinux; + }; + }; makeTest = imageName: testName: @@ -116,7 +148,7 @@ let chmod 0400 ./vagrant_insecure_key - ssh_opts="-o StrictHostKeyChecking=no -o PubkeyAcceptedKeyTypes=+ssh-rsa -i ./vagrant_insecure_key" + ssh_opts="-o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -i ./vagrant_insecure_key" ssh="ssh -p 20022 -q $ssh_opts vagrant@localhost" echo "Waiting for SSH..." From ba04b5b1d74c285e12fc3d24524cb8f30f108767 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 14:51:44 +0200 Subject: [PATCH 22/46] Disable Ubuntu 14.04 --- tests/installer/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index d31e2a949..a3a7f85f9 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -34,6 +34,7 @@ let images = { + /* "ubuntu-14-04" = { image = import { url = https://app.vagrantup.com/ubuntu/boxes/trusty64/versions/20190514.0.0/providers/virtualbox.box; @@ -42,6 +43,7 @@ let rootDisk = "box-disk1.vmdk"; system = "x86_64-linux"; }; + */ "ubuntu-16-04" = { image = import { From 3dd313a7c20772ef34af4a43fb3673df1e7d00cf Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 15:50:52 +0200 Subject: [PATCH 23/46] Add RHEL 9 --- tests/installer/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index a3a7f85f9..eab103562 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -105,6 +105,17 @@ let postBoot = disableSELinux; }; + "rhel-9" = { + image = import { + url = https://app.vagrantup.com/generic/boxes/rhel9/versions/4.1.12/providers/libvirt.box; + hash = "sha256-vL/FbB3kK1rcSaR627nWmScYGKGk4seSmAdq6N5diMg="; + }; + rootDisk = "box.img"; + system = "x86_64-linux"; + postBoot = disableSELinux; + extraQemuOpts = "-cpu Westmere-v2"; + }; + }; makeTest = imageName: testName: @@ -128,7 +139,7 @@ let qemu-img create -b ./${image.rootDisk} -F "$image_type" -f qcow2 ./disk.qcow2 - extra_qemu_opts= + extra_qemu_opts="${image.extraQemuOpts}" # Add the config disk, required by the Ubuntu images. config_drive=$(echo *configdrive.vmdk || true) From 0d4bf9c4d836f8e8570ad1d39245a5835ef4aaf1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 15 Sep 2022 15:56:46 +0200 Subject: [PATCH 24/46] Fix evaluation --- tests/installer/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index eab103562..c118937a6 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -139,7 +139,7 @@ let qemu-img create -b ./${image.rootDisk} -F "$image_type" -f qcow2 ./disk.qcow2 - extra_qemu_opts="${image.extraQemuOpts}" + extra_qemu_opts="${image.extraQemuOpts or ""}" # Add the config disk, required by the Ubuntu images. config_drive=$(echo *configdrive.vmdk || true) From 84fb036062b879c454188a2a4f7123720a6eb9be Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Thu, 15 Sep 2022 18:16:17 +0200 Subject: [PATCH 25/46] add issue template for missing or incorrect documentation this allows anyone to create labelled issues for easy filtering. --- .../ISSUE_TEMPLATE/missing_documentation.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/missing_documentation.md diff --git a/.github/ISSUE_TEMPLATE/missing_documentation.md b/.github/ISSUE_TEMPLATE/missing_documentation.md new file mode 100644 index 000000000..84868814f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/missing_documentation.md @@ -0,0 +1,28 @@ +--- +name: Missing or incorrect documentation +about: +title: '' +labels: 'documentation' +assignees: '' + +--- + +## Problem + + + +## Checklist + + + +- [ ] checked [latest Nix manual]\ ([source]) +- [ ] checked [open documentation issues and pull requests] for possible duplicates + +[latest Nix manual]: https://nixos.org/manual/nix/unstable/ +[source]: https://github.com/NixOS/nix/tree/master/doc/manual/src +[open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation + +## Proposal + + + From 875a99eaa483850e7794a495102ce0c97658d89f Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 16 Sep 2022 09:41:27 +0200 Subject: [PATCH 26/46] fix markdown rendering quirk markdown would interpret parentheses as belonging to the first link without escaping. --- .github/ISSUE_TEMPLATE/missing_documentation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/missing_documentation.md b/.github/ISSUE_TEMPLATE/missing_documentation.md index 84868814f..8ded9f063 100644 --- a/.github/ISSUE_TEMPLATE/missing_documentation.md +++ b/.github/ISSUE_TEMPLATE/missing_documentation.md @@ -15,7 +15,7 @@ assignees: '' -- [ ] checked [latest Nix manual]\ ([source]) +- [ ] checked [latest Nix manual] \([source]) - [ ] checked [open documentation issues and pull requests] for possible duplicates [latest Nix manual]: https://nixos.org/manual/nix/unstable/ From b3550d9179611692a4e27fbe4e5f493f4e8713e3 Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Fri, 16 Sep 2022 00:47:54 -0700 Subject: [PATCH 27/46] libexpr/fetchurl.nix: allow __impure fetch This commit adds an optional `__impure` parameter to fetchurl.nix, which allows the caller to use `libfetcher`'s fetcher in an impure derivation. This allows nixpkgs' patch-normalizing fetcher (fetchpatch) to be rewritten to use nix's internal fetchurl, thereby eliminating the awkward "you can't use fetchpatch here" banners scattered all over the place. See also: https://github.com/NixOS/nixpkgs/pull/188587 --- src/libexpr/fetchurl.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/libexpr/fetchurl.nix b/src/libexpr/fetchurl.nix index 02531103b..38815fcc4 100644 --- a/src/libexpr/fetchurl.nix +++ b/src/libexpr/fetchurl.nix @@ -12,13 +12,13 @@ , executable ? false , unpack ? false , name ? baseNameOf (toString url) +, __impure ? false }: -derivation { +derivation ({ builder = "builtin:fetchurl"; # New-style output content requirements. - inherit outputHashAlgo outputHash; outputHashMode = if unpack || executable then "recursive" else "flat"; inherit name url executable unpack; @@ -38,4 +38,6 @@ derivation { # To make "nix-prefetch-url" work. urls = [ url ]; -} +} // (if __impure + then { inherit __impure; } + else { inherit outputHashAlgo outputHash; })) From 673fd21b7c12b3b0a7fd7e0c9c78caefd8906836 Mon Sep 17 00:00:00 2001 From: Adam Joseph <54836058+amjoseph-nixpkgs@users.noreply.github.com> Date: Fri, 16 Sep 2022 08:51:14 +0000 Subject: [PATCH 28/46] Update src/libexpr/fetchurl.nix Co-authored-by: Eelco Dolstra --- src/libexpr/fetchurl.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libexpr/fetchurl.nix b/src/libexpr/fetchurl.nix index 38815fcc4..b487e959a 100644 --- a/src/libexpr/fetchurl.nix +++ b/src/libexpr/fetchurl.nix @@ -12,7 +12,7 @@ , executable ? false , unpack ? false , name ? baseNameOf (toString url) -, __impure ? false +, impure ? false }: derivation ({ From fb985f855c3bba09703bfb0ad7618ab881c2b0c4 Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Fri, 16 Sep 2022 01:52:20 -0700 Subject: [PATCH 29/46] fetchurl.nix: change other use of __impure --- src/libexpr/fetchurl.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libexpr/fetchurl.nix b/src/libexpr/fetchurl.nix index b487e959a..9d1b61d7f 100644 --- a/src/libexpr/fetchurl.nix +++ b/src/libexpr/fetchurl.nix @@ -38,6 +38,6 @@ derivation ({ # To make "nix-prefetch-url" work. urls = [ url ]; -} // (if __impure - then { inherit __impure; } +} // (if impure + then { __impure = true; } else { inherit outputHashAlgo outputHash; })) From ad5b09423aa7e5112de06667e28e78a9e4d1ff33 Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Fri, 16 Sep 2022 01:59:24 -0700 Subject: [PATCH 30/46] release-notes/rl-next.md: note new argument to fetchurl.nix --- doc/manual/src/release-notes/rl-next.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/manual/src/release-notes/rl-next.md b/doc/manual/src/release-notes/rl-next.md index 78ae99f4b..68f7d1a9d 100644 --- a/doc/manual/src/release-notes/rl-next.md +++ b/doc/manual/src/release-notes/rl-next.md @@ -1,2 +1,7 @@ # Release X.Y (202?-??-??) +* `` now accepts an additional argument `impure` which + defaults to `false`. If it is set to `true`, the `hash` and `sha256` + arguments will be ignored and the resulting derivation will have + `__impure` set to `true`, making it an impure derivation. + From 0f977bf91e29192d7f0c0f9cad16351bad7cd137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= <7226587+thufschmitt@users.noreply.github.com> Date: Mon, 19 Sep 2022 08:42:43 +0200 Subject: [PATCH 31/46] Remove a useless debug message in filetransfer.cc Remove the `verify TLS: Nix CA file = 'blah'` message that Nix used to print when fetching anything as it's both useless (`libcurl` prints the same info in its logs) and misleading (gives the impression that a new TLS connection is being established which might not be the case because of multiplexing. See #7011 ) --- src/libstore/filetransfer.cc | 1 - 1 file changed, 1 deletion(-) diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc index 252403cb5..5746c32a3 100644 --- a/src/libstore/filetransfer.cc +++ b/src/libstore/filetransfer.cc @@ -322,7 +322,6 @@ struct curlFileTransfer : public FileTransfer } if (request.verifyTLS) { - debug("verify TLS: Nix CA file = '%s'", settings.caFile); if (settings.caFile != "") curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str()); } else { From 4b11c22386abc8b7176602446ca061c5504635cc Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Mon, 19 Sep 2022 10:02:07 +0200 Subject: [PATCH 32/46] issue template: fill 'about' field according to [GitHub documentation] some fields are required. `about` is not listed, but it probably is required. [GitHub documentation]: https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms --- .github/ISSUE_TEMPLATE/missing_documentation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/missing_documentation.md b/.github/ISSUE_TEMPLATE/missing_documentation.md index 8ded9f063..fbabd868e 100644 --- a/.github/ISSUE_TEMPLATE/missing_documentation.md +++ b/.github/ISSUE_TEMPLATE/missing_documentation.md @@ -1,8 +1,8 @@ --- name: Missing or incorrect documentation -about: +about: Help us improve the reference manual title: '' -labels: 'documentation' +labels: documentation assignees: '' --- From 1b595026e18afb050de3f62ded8f7180bc8b2b0e Mon Sep 17 00:00:00 2001 From: squalus Date: Mon, 19 Sep 2022 11:15:31 -0700 Subject: [PATCH 33/46] Improve durability of schema version file writes - call close explicitly in writeFile to prevent the close exception from being ignored - fsync after writing schema file to flush data to disk - fsync schema file parent to flush metadata to disk https://github.com/NixOS/nix/issues/7064 --- src/libstore/local-store.cc | 6 +++--- src/libutil/util.cc | 38 +++++++++++++++++++++++++++++++++++-- src/libutil/util.hh | 8 ++++++-- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 0b07cde34..37302d3a8 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -158,7 +158,7 @@ void migrateCASchema(SQLite& db, Path schemaPath, AutoCloseFD& lockFd) txn.commit(); } - writeFile(schemaPath, fmt("%d", nixCASchemaVersion)); + writeFile(schemaPath, fmt("%d", nixCASchemaVersion), 0666, true); lockFile(lockFd.get(), ltRead, true); } } @@ -281,7 +281,7 @@ LocalStore::LocalStore(const Params & params) else if (curSchema == 0) { /* new store */ curSchema = nixSchemaVersion; openDB(*state, true); - writeFile(schemaPath, (format("%1%") % nixSchemaVersion).str()); + writeFile(schemaPath, (format("%1%") % nixSchemaVersion).str(), 0666, true); } else if (curSchema < nixSchemaVersion) { @@ -329,7 +329,7 @@ LocalStore::LocalStore(const Params & params) txn.commit(); } - writeFile(schemaPath, (format("%1%") % nixSchemaVersion).str()); + writeFile(schemaPath, (format("%1%") % nixSchemaVersion).str(), 0666, true); lockFile(globalLock.get(), ltRead, true); } diff --git a/src/libutil/util.cc b/src/libutil/util.cc index 96ac11ea2..623b74bdd 100644 --- a/src/libutil/util.cc +++ b/src/libutil/util.cc @@ -353,7 +353,7 @@ void readFile(const Path & path, Sink & sink) } -void writeFile(const Path & path, std::string_view s, mode_t mode) +void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync) { AutoCloseFD fd = open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, mode); if (!fd) @@ -364,10 +364,16 @@ void writeFile(const Path & path, std::string_view s, mode_t mode) e.addTrace({}, "writing file '%1%'", path); throw; } + if (sync) + fd.fsync(); + // Explicitly close to make sure exceptions are propagated. + fd.close(); + if (sync) + syncParent(path); } -void writeFile(const Path & path, Source & source, mode_t mode) +void writeFile(const Path & path, Source & source, mode_t mode, bool sync) { AutoCloseFD fd = open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, mode); if (!fd) @@ -386,6 +392,20 @@ void writeFile(const Path & path, Source & source, mode_t mode) e.addTrace({}, "writing file '%1%'", path); throw; } + if (sync) + fd.fsync(); + // Explicitly close to make sure exceptions are propagated. + fd.close(); + if (sync) + syncParent(path); +} + +void syncParent(const Path & path) +{ + AutoCloseFD fd = open(dirOf(path).c_str(), O_RDONLY, 0); + if (!fd) + throw SysError("opening file '%1%'", path); + fd.fsync(); } std::string readLine(int fd) @@ -841,6 +861,20 @@ void AutoCloseFD::close() } } +void AutoCloseFD::fsync() +{ + if (fd != -1) { + int result; +#if __APPLE__ + result = ::fcntl(fd, F_FULLFSYNC); +#else + result = ::fsync(fd); +#endif + if (result == -1) + throw SysError("fsync file descriptor %1%", fd); + } +} + AutoCloseFD::operator bool() const { diff --git a/src/libutil/util.hh b/src/libutil/util.hh index cd83f250f..e5c678682 100644 --- a/src/libutil/util.hh +++ b/src/libutil/util.hh @@ -115,9 +115,12 @@ std::string readFile(const Path & path); void readFile(const Path & path, Sink & sink); /* Write a string to a file. */ -void writeFile(const Path & path, std::string_view s, mode_t mode = 0666); +void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, bool sync = false); -void writeFile(const Path & path, Source & source, mode_t mode = 0666); +void writeFile(const Path & path, Source & source, mode_t mode = 0666, bool sync = false); + +/* Flush a file's parent directory to disk */ +void syncParent(const Path & path); /* Read a line from a file descriptor. */ std::string readLine(int fd); @@ -231,6 +234,7 @@ public: explicit operator bool() const; int release(); void close(); + void fsync(); }; From ca22936853a8ac582f0c2900a9de2531f26cb522 Mon Sep 17 00:00:00 2001 From: hiroqn <909385+hiroqn@users.noreply.github.com> Date: Mon, 19 Sep 2022 03:39:15 +0900 Subject: [PATCH 34/46] fix `uname -m` return value for armv6l/armv7l --- scripts/install.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install.in b/scripts/install.in index af5f71080..7d2e52b26 100755 --- a/scripts/install.in +++ b/scripts/install.in @@ -40,12 +40,12 @@ case "$(uname -s).$(uname -m)" in path=@tarballPath_aarch64-linux@ system=aarch64-linux ;; - Linux.armv6l_linux) + Linux.armv6l) hash=@tarballHash_armv6l-linux@ path=@tarballPath_armv6l-linux@ system=armv6l-linux ;; - Linux.armv7l_linux) + Linux.armv7l) hash=@tarballHash_armv7l-linux@ path=@tarballPath_armv7l-linux@ system=armv7l-linux From d234d01f010e99c1519b849dd50a502a8af7ede1 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Tue, 20 Sep 2022 11:01:40 +0000 Subject: [PATCH 35/46] nix repl: warn if creating dir for history fails The history is not critical to the functionality of nix repl, so it's enough to warn here, rather than refuse to start if the directory Nix thinks the history should live in can't be created. --- src/libcmd/repl.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libcmd/repl.cc b/src/libcmd/repl.cc index 150bd42ac..61c05050f 100644 --- a/src/libcmd/repl.cc +++ b/src/libcmd/repl.cc @@ -242,7 +242,11 @@ void NixRepl::mainLoop() // Allow nix-repl specific settings in .inputrc rl_readline_name = "nix-repl"; - createDirs(dirOf(historyFile)); + try { + createDirs(dirOf(historyFile)); + } catch (SysError & e) { + logWarning(e.info()); + } #ifndef READLINE el_hist_size = 1000; #endif From 752f967c0fe2489fe13d8c2c65c3ecba72064adc Mon Sep 17 00:00:00 2001 From: John Ericson Date: Thu, 22 Sep 2022 10:43:48 -0400 Subject: [PATCH 36/46] "valid signature" -> "trustworthy signature" I just had a colleague get confused by the previous phrase for good reason. "valid" sounds like an *objective* criterion, e.g. and *invalid signature* would be one that would be trusted by no one, e.g. because it misformatted or something. What is actually going is that there might be a signature which is perfectly valid to *someone else*, but not to the user, because they don't trust the corresponding public key. This is a *subjective* criterion, because it depends on the arbitrary and personal choice of which public keys to trust. I therefore think "trustworthy" is a better adjective to use. Whether something is worthy of trust is clearly subjective, and then "trust" within that word nicely evokes `trusted-public-keys` and friends. --- src/libstore/globals.hh | 2 +- src/libstore/local-store.cc | 4 ++-- src/nix/make-content-addressed.md | 2 +- src/nix/verify.cc | 2 +- tests/signing.sh | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index e9d721e59..fb8f810c2 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -560,7 +560,7 @@ public: R"( If set to `true` (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary - cache) must have a valid signature, that is, be signed using one of + cache) must have a trustworthy signature, that is, be signed using one of the keys listed in `trusted-public-keys` or `secret-key-files`. Set to `false` to disable signature checking. )"}; diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 37302d3a8..b64ae6080 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -751,7 +751,7 @@ void LocalStore::registerDrvOutput(const Realisation & info, CheckSigsFlag check if (checkSigs == NoCheckSigs || !realisationIsUntrusted(info)) registerDrvOutput(info); else - throw Error("cannot register realisation '%s' because it lacks a valid signature", info.outPath.to_string()); + throw Error("cannot register realisation '%s' because it lacks a trustworthy signature", info.outPath.to_string()); } void LocalStore::registerDrvOutput(const Realisation & info) @@ -1266,7 +1266,7 @@ void LocalStore::addToStore(const ValidPathInfo & info, Source & source, RepairFlag repair, CheckSigsFlag checkSigs) { if (checkSigs && pathInfoIsUntrusted(info)) - throw Error("cannot add path '%s' because it lacks a valid signature", printStorePath(info.path)); + throw Error("cannot add path '%s' because it lacks a trustworthy signature", printStorePath(info.path)); addTempRoot(info.path); diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md index 215683e6d..b0685bb6c 100644 --- a/src/nix/make-content-addressed.md +++ b/src/nix/make-content-addressed.md @@ -22,7 +22,7 @@ R""( ```console # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello - cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a valid signature + cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a trustworthy signature ``` * Create a content-addressed representation of the current NixOS diff --git a/src/nix/verify.cc b/src/nix/verify.cc index e92df1303..6dc539e24 100644 --- a/src/nix/verify.cc +++ b/src/nix/verify.cc @@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand addFlag({ .longName = "sigs-needed", .shortName = 'n', - .description = "Require that each path has at least *n* valid signatures.", + .description = "Require that each path has at least *n* trustworthy signatures.", .labels = {"n"}, .handler = {&sigsNeeded} }); diff --git a/tests/signing.sh b/tests/signing.sh index 6aafbeb91..74f57966a 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -81,7 +81,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2) [[ $info =~ 'cache1.example.org' ]] [[ $info =~ 'cache2.example.org' ]] -# Copying to a diverted store should fail due to a lack of valid signatures. +# Copying to a diverted store should fail due to a lack of trustworthy signatures. chmod -R u+w $TEST_ROOT/store0 || true rm -rf $TEST_ROOT/store0 (! nix copy --to $TEST_ROOT/store0 $outPath) From a2a8cb10ac17e03691b9f73ae14e5b6edbe66f4e Mon Sep 17 00:00:00 2001 From: John Ericson Date: Thu, 22 Sep 2022 14:36:26 -0400 Subject: [PATCH 37/46] Dodge "trusted" vs "trustworthy" by being explicit Hopefully this is best! --- src/libstore/globals.hh | 12 +++++++++--- src/libstore/local-store.cc | 4 ++-- src/nix/make-content-addressed.md | 2 +- src/nix/verify.cc | 2 +- tests/signing.sh | 2 +- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index fb8f810c2..e2bb0ffc9 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -560,9 +560,15 @@ public: R"( If set to `true` (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary - cache) must have a trustworthy signature, that is, be signed using one of - the keys listed in `trusted-public-keys` or `secret-key-files`. Set - to `false` to disable signature checking. + cache) must have a signature by a key we trust. A trusted key is one + listed in `trusted-public-keys`, or a public key counterpart to a + private key stored in a file listed in `secret-key-files`. + + Set to `false` to disable signature checking and trust all + non-content-addressed paths unconditionally. + + (Content-addressed paths are inherently trustworthy and thus + unaffected by this configuration option.) )"}; Setting extraPlatforms{ diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index b64ae6080..d374d4558 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -751,7 +751,7 @@ void LocalStore::registerDrvOutput(const Realisation & info, CheckSigsFlag check if (checkSigs == NoCheckSigs || !realisationIsUntrusted(info)) registerDrvOutput(info); else - throw Error("cannot register realisation '%s' because it lacks a trustworthy signature", info.outPath.to_string()); + throw Error("cannot register realisation '%s' because it lacks a signature by a trusted key", info.outPath.to_string()); } void LocalStore::registerDrvOutput(const Realisation & info) @@ -1266,7 +1266,7 @@ void LocalStore::addToStore(const ValidPathInfo & info, Source & source, RepairFlag repair, CheckSigsFlag checkSigs) { if (checkSigs && pathInfoIsUntrusted(info)) - throw Error("cannot add path '%s' because it lacks a trustworthy signature", printStorePath(info.path)); + throw Error("cannot add path '%s' because it lacks a signature by a trusted key", printStorePath(info.path)); addTempRoot(info.path); diff --git a/src/nix/make-content-addressed.md b/src/nix/make-content-addressed.md index b0685bb6c..32eecc880 100644 --- a/src/nix/make-content-addressed.md +++ b/src/nix/make-content-addressed.md @@ -22,7 +22,7 @@ R""( ```console # nix copy --to /tmp/nix --trusted-public-keys '' nixpkgs#hello - cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a trustworthy signature + cannot add path '/nix/store/zy9wbxwcygrwnh8n2w9qbbcr6zk87m26-libunistring-0.9.10' because it lacks a signature by a trusted key ``` * Create a content-addressed representation of the current NixOS diff --git a/src/nix/verify.cc b/src/nix/verify.cc index 6dc539e24..1ddedd320 100644 --- a/src/nix/verify.cc +++ b/src/nix/verify.cc @@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand addFlag({ .longName = "sigs-needed", .shortName = 'n', - .description = "Require that each path has at least *n* trustworthy signatures.", + .description = "Require that each path has is signed by *n* different keys.", .labels = {"n"}, .handler = {&sigsNeeded} }); diff --git a/tests/signing.sh b/tests/signing.sh index 74f57966a..9b673c609 100644 --- a/tests/signing.sh +++ b/tests/signing.sh @@ -81,7 +81,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2) [[ $info =~ 'cache1.example.org' ]] [[ $info =~ 'cache2.example.org' ]] -# Copying to a diverted store should fail due to a lack of trustworthy signatures. +# Copying to a diverted store should fail due to a lack of signatures by trusted keys. chmod -R u+w $TEST_ROOT/store0 || true rm -rf $TEST_ROOT/store0 (! nix copy --to $TEST_ROOT/store0 $outPath) From 6e049ae607b53eba3c9c6bed260a0b39a3f73a70 Mon Sep 17 00:00:00 2001 From: Matthew Bauer Date: Thu, 22 Sep 2022 13:59:16 -0500 Subject: [PATCH 38/46] Allow pass max-silent-time and build-poll-interval to daemon untrusted These settings seem harmless, they control the same polling functionality that timeout does, but with different behavior. Should be safe for untrusted users to pass in. --- src/libstore/daemon.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc index de69b50ee..48dd5c247 100644 --- a/src/libstore/daemon.cc +++ b/src/libstore/daemon.cc @@ -239,6 +239,8 @@ struct ClientSettings else if (trusted || name == settings.buildTimeout.name || name == settings.buildRepeat.name + || name == settings.maxSilentTime.name + || name == settings.pollInterval.name || name == "connect-timeout" || (name == "builders" && value == "")) settings.set(name, value); From e04b38f789ff2fb3a93f4cf5783b23430e5d2797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Fri, 23 Sep 2022 11:21:19 +0200 Subject: [PATCH 39/46] add ccacheStdenv when using ccache, rebuild time has been measured 89% faster while not slowing the speed of cold builds --- doc/manual/src/contributing/hacking.md | 5 ++++- flake.nix | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md index 59ce5cac7..e97b40cdd 100644 --- a/doc/manual/src/contributing/hacking.md +++ b/doc/manual/src/contributing/hacking.md @@ -42,7 +42,7 @@ $ nix develop ``` To get a shell with a different compilation environment (e.g. stdenv, -gccStdenv, clangStdenv, clang11Stdenv): +gccStdenv, clangStdenv, clang11Stdenv, ccacheStdenv): ```console $ nix-shell -A devShells.x86_64-linux.clang11StdenvPackages @@ -54,6 +54,9 @@ or if you have a flake-enabled nix: $ nix develop .#clang11StdenvPackages ``` +Note: you can use `ccacheStdenv` to drastically improve rebuild +time. By default, ccache keeps artifacts in `~/.cache/ccache/`. + To build Nix itself in this shell: ```console diff --git a/flake.nix b/flake.nix index 1b26460e7..5416b9d75 100644 --- a/flake.nix +++ b/flake.nix @@ -23,7 +23,7 @@ crossSystems = [ "armv6l-linux" "armv7l-linux" ]; - stdenvs = [ "gccStdenv" "clangStdenv" "clang11Stdenv" "stdenv" "libcxxStdenv" ]; + stdenvs = [ "gccStdenv" "clangStdenv" "clang11Stdenv" "stdenv" "libcxxStdenv" "ccacheStdenv" ]; forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); forAllSystemsAndStdenvs = f: forAllSystems (system: From 60e23c8baeb0e28ec163676b4fd4a24c40d89fe9 Mon Sep 17 00:00:00 2001 From: John Ericson Date: Fri, 23 Sep 2022 13:57:57 -0400 Subject: [PATCH 40/46] Apply suggestions from code review Co-authored-by: Valentin Gagarin Co-authored-by: Rune K. Svendsen --- src/libstore/globals.hh | 2 +- src/nix/verify.cc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index e2bb0ffc9..75927d395 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -560,7 +560,7 @@ public: R"( If set to `true` (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary - cache) must have a signature by a key we trust. A trusted key is one + cache) must have a signature by a trusted key. A trusted key is one listed in `trusted-public-keys`, or a public key counterpart to a private key stored in a file listed in `secret-key-files`. diff --git a/src/nix/verify.cc b/src/nix/verify.cc index 1ddedd320..efa2434dc 100644 --- a/src/nix/verify.cc +++ b/src/nix/verify.cc @@ -41,7 +41,7 @@ struct CmdVerify : StorePathsCommand addFlag({ .longName = "sigs-needed", .shortName = 'n', - .description = "Require that each path has is signed by *n* different keys.", + .description = "Require that each path is signed by at least *n* different keys.", .labels = {"n"}, .handler = {&sigsNeeded} }); From 1a5d094be76468b5e32c866bbba34cd99521d042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= <7226587+thufschmitt@users.noreply.github.com> Date: Sat, 24 Sep 2022 12:11:26 +0200 Subject: [PATCH 41/46] Mention `--accept-flake-config` in the related warning Make sure that people who run Nix in non-interactive mode (and so don't have the possibility to interactively accept the individual flake configuration settings) are aware of this flag. Fix #7086 --- src/libexpr/flake/config.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libexpr/flake/config.cc b/src/libexpr/flake/config.cc index 3e9d264b4..6df95f1f0 100644 --- a/src/libexpr/flake/config.cc +++ b/src/libexpr/flake/config.cc @@ -68,7 +68,7 @@ void ConfigFile::apply() } } if (!trusted) { - warn("ignoring untrusted flake configuration setting '%s'", name); + warn("ignoring untrusted flake configuration setting '%s'.\nPass '%s' to trust it", name, "--accept-flake-config"); continue; } } From dc205c75a24f4159ef92905b08cb59179d78c345 Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Sat, 24 Sep 2022 23:51:09 -0700 Subject: [PATCH 42/46] src/libexpr/primops.cc: correct definition for intersectAttrs The current definition of `intersectAttrs` is incorrect: > Return a set consisting of the attributes in the set e2 that also exist in the > set e1. Recall that (Nix manual, section 5.1): > An attribute set is a collection of name-value-pairs (called attributes) According to the existing description of `intersectAttrs`, the following should evaluate to the empty set, since no key-value *pair* (i.e. attribute) exists in both sets: ``` builtins.intersectAttrs { x=3; } {x="foo";} ``` And yet: ``` nix-repl> builtins.intersectAttrs { x=3; } {x="foo";} { x = "foo"; } ``` Clearly the intent here was for the *names* of the resulting attribute set to be the intersection of the *names* of the two arguments, and for the values of the resulting attribute set to be the values from the second argument. This commit corrects the definition, making it match the implementation and intent. --- src/libexpr/primops.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index bc253d0a3..28b998474 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -2454,8 +2454,8 @@ static RegisterPrimOp primop_intersectAttrs({ .name = "__intersectAttrs", .args = {"e1", "e2"}, .doc = R"( - Return a set consisting of the attributes in the set *e2* that also - exist in the set *e1*. + Return a set consisting of the attributes in the set *e2* which have the + same name as some attribute in *e1*. )", .fun = prim_intersectAttrs, }); From eceaf1997ca5e88549e7ea0ab72104777dee4e87 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 26 Sep 2022 16:54:31 +0200 Subject: [PATCH 43/46] Remove FIXME --- tests/installer/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index c118937a6..8686dbb96 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -190,7 +190,6 @@ let $ssh "set -eux; $installScript" echo "Testing Nix installation..." - # FIXME: should update ~/.bashrc. $ssh < Date: Mon, 26 Sep 2022 16:57:06 +0200 Subject: [PATCH 44/46] Quote URLs --- tests/installer/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/installer/default.nix b/tests/installer/default.nix index 8686dbb96..32aa7889a 100644 --- a/tests/installer/default.nix +++ b/tests/installer/default.nix @@ -37,7 +37,7 @@ let /* "ubuntu-14-04" = { image = import { - url = https://app.vagrantup.com/ubuntu/boxes/trusty64/versions/20190514.0.0/providers/virtualbox.box; + url = "https://app.vagrantup.com/ubuntu/boxes/trusty64/versions/20190514.0.0/providers/virtualbox.box"; hash = "sha256-iUUXyRY8iW7DGirb0zwGgf1fRbLA7wimTJKgP7l/OQ8="; }; rootDisk = "box-disk1.vmdk"; @@ -47,7 +47,7 @@ let "ubuntu-16-04" = { image = import { - url = https://app.vagrantup.com/generic/boxes/ubuntu1604/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/ubuntu1604/versions/4.1.12/providers/libvirt.box"; hash = "sha256-lO4oYQR2tCh5auxAYe6bPOgEqOgv3Y3GC1QM1tEEEU8="; }; rootDisk = "box.img"; @@ -56,7 +56,7 @@ let "ubuntu-22-04" = { image = import { - url = https://app.vagrantup.com/generic/boxes/ubuntu2204/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/ubuntu2204/versions/4.1.12/providers/libvirt.box"; hash = "sha256-HNll0Qikw/xGIcogni5lz01vUv+R3o8xowP2EtqjuUQ="; }; rootDisk = "box.img"; @@ -65,7 +65,7 @@ let "fedora-36" = { image = import { - url = https://app.vagrantup.com/generic/boxes/fedora36/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/fedora36/versions/4.1.12/providers/libvirt.box"; hash = "sha256-rxPgnDnFkTDwvdqn2CV3ZUo3re9AdPtSZ9SvOHNvaks="; }; rootDisk = "box.img"; @@ -78,7 +78,7 @@ let /* "rhel-6" = { image = import { - url = https://app.vagrantup.com/generic/boxes/rhel6/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/rhel6/versions/4.1.12/providers/libvirt.box"; hash = "sha256-QwzbvRoRRGqUCQptM7X/InRWFSP2sqwRt2HaaO6zBGM="; }; rootDisk = "box.img"; @@ -88,7 +88,7 @@ let "rhel-7" = { image = import { - url = https://app.vagrantup.com/generic/boxes/rhel7/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/rhel7/versions/4.1.12/providers/libvirt.box"; hash = "sha256-b4afnqKCO9oWXgYHb9DeQ2berSwOjS27rSd9TxXDc/U="; }; rootDisk = "box.img"; @@ -97,7 +97,7 @@ let "rhel-8" = { image = import { - url = https://app.vagrantup.com/generic/boxes/rhel8/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/rhel8/versions/4.1.12/providers/libvirt.box"; hash = "sha256-zFOPjSputy1dPgrQRixBXmlyN88cAKjJ21VvjSWUCUY="; }; rootDisk = "box.img"; @@ -107,7 +107,7 @@ let "rhel-9" = { image = import { - url = https://app.vagrantup.com/generic/boxes/rhel9/versions/4.1.12/providers/libvirt.box; + url = "https://app.vagrantup.com/generic/boxes/rhel9/versions/4.1.12/providers/libvirt.box"; hash = "sha256-vL/FbB3kK1rcSaR627nWmScYGKGk4seSmAdq6N5diMg="; }; rootDisk = "box.img"; From 19f3ecd830d092caccf43ab122b9a01ccb2ce98f Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Tue, 27 Sep 2022 00:06:56 +0200 Subject: [PATCH 45/46] nix-build: remove unused --add-root arg Fixes #1982 --- src/nix-build/nix-build.cc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/nix-build/nix-build.cc b/src/nix-build/nix-build.cc index df292dce6..adcaab686 100644 --- a/src/nix-build/nix-build.cc +++ b/src/nix-build/nix-build.cc @@ -85,7 +85,6 @@ static void main_nix_build(int argc, char * * argv) Strings attrPaths; Strings left; RepairFlag repair = NoRepair; - Path gcRoot; BuildMode buildMode = bmNormal; bool readStdin = false; @@ -167,9 +166,6 @@ static void main_nix_build(int argc, char * * argv) else if (*arg == "--out-link" || *arg == "-o") outLink = getArg(*arg, arg, end); - else if (*arg == "--add-root") - gcRoot = getArg(*arg, arg, end); - else if (*arg == "--dry-run") dryRun = true; From 02597022193ba46092fe5a4895235e49031be38e Mon Sep 17 00:00:00 2001 From: Jonathan Coates Date: Tue, 27 Sep 2022 12:59:37 +0100 Subject: [PATCH 46/46] Use exit instead of return in fish profile Older versions of Fish (such as those bundled with Ubuntu LTS 22.04) do not support return outside of functions. We need to use the equivalent exit instead. --- scripts/nix-profile-daemon.fish.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/nix-profile-daemon.fish.in b/scripts/nix-profile-daemon.fish.in index 56d851a9c..3d587dd7f 100644 --- a/scripts/nix-profile-daemon.fish.in +++ b/scripts/nix-profile-daemon.fish.in @@ -1,6 +1,6 @@ # Only execute this file once per shell. if test -n "$__ETC_PROFILE_NIX_SOURCED" - return + exit end set __ETC_PROFILE_NIX_SOURCED 1