Build IFD in the build store when using eval-store.

Previously, IFDs would be built within the eval store, even though one is typically using `--eval-store` precisely to *avoid* local builds. Because the resulting Nix expression must be copied back to the eval store in order to be imported, this requires the eval store to trust the build store's signatures.
2024-11-22 05:56:15 +02:00 · 2023-12-23 21:26:12 -05:00 · 2023-12-23 21:26:12 -05:00 · c3942ef85f
commit c3942ef85f
parent 9cb287657b
3 changed files with 29 additions and 6 deletions
--- a/doc/manual/rl-next/ifd-eval-store.md
+++ b/doc/manual/rl-next/ifd-eval-store.md
@ -0,0 +1,8 @@
+---
+synopsis: import-from-derivation builds the derivation in the build store
+prs: 9661
+---
+
+When using `--eval-store`, `import`ing from a derivation will now result in the derivation being built on the build store, i.e. the store specified in the `store` Nix option.
+
+Because the resulting Nix expression must be copied back to the eval store in order to be imported, this requires the eval store to trust the build store's signatures.
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -84,14 +84,14 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
    /* Build/substitute the context. */
    std::vector<DerivedPath> buildReqs;
    for (auto & d : drvs) buildReqs.emplace_back(DerivedPath { d });
-    store->buildPaths(buildReqs);
+    buildStore->buildPaths(buildReqs, bmNormal, store);
+
+    StorePathSet outputsToCopyAndAllow;

    for (auto & drv : drvs) {
-        auto outputs = resolveDerivedPath(*store, drv);
+        auto outputs = resolveDerivedPath(*buildStore, drv, &*store);
        for (auto & [outputName, outputPath] : outputs) {
-            /* Add the output of this derivations to the allowed
-               paths. */
-            allowPath(store->toRealPath(outputPath));
+            outputsToCopyAndAllow.insert(outputPath);

            /* Get all the output paths corresponding to the placeholders we had */
            if (experimentalFeatureSettings.isEnabled(Xp::CaDerivations)) {
@ -101,12 +101,19 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
                            .drvPath = drv.drvPath,
                            .output = outputName,
                        }).render(),
-                    store->printStorePath(outputPath)
+                    buildStore->printStorePath(outputPath)
                );
            }
        }
    }

+    if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);
+    for (auto & outputPath : outputsToCopyAndAllow) {
+        /* Add the output of this derivations to the allowed
+           paths. */
+        allowPath(store->toRealPath(outputPath));
+    }
+
    return res;
 }

--- a/tests/functional/eval-store.sh
+++ b/tests/functional/eval-store.sh
@ -40,3 +40,11 @@ if [[ ! -n "${NIX_TESTS_CA_BY_DEFAULT:-}" ]]; then
    (! ls $NIX_STORE_DIR/*.drv)
 fi
 ls $eval_store/nix/store/*.drv
+
+clearStore
+rm -rf "$eval_store"
+
+# Confirm that import-from-derivation builds on the build store
+[[ $(nix eval --eval-store "$eval_store?require-sigs=false" --impure --raw --file ./ifd.nix) = hi ]]
+ls $NIX_STORE_DIR/*dependencies-top/foobar
+(! ls $eval_store/nix/store/*dependencies-top/foobar)