Commit graph

367 commits

Author SHA1 Message Date
Eelco Dolstra
f4279bcde0 * Don't run setuid root when build-users is empty.
* Send startup errors to the client.
2006-12-03 16:25:19 +00:00
Eelco Dolstra
35247c4c9f * Removed `build-allow-root'.
* Added `build-users-group', the group under which builds are to be
  performed.
* Check that /nix/store has 1775 permission and is owner by the
  build-users-group.
2006-12-03 15:32:38 +00:00
Eelco Dolstra
84d6459bd5 * Use setreuid if setresuid is not available. 2006-12-03 14:32:22 +00:00
Eelco Dolstra
536595b072 * Remove most of the old setuid code.
* Much simpler setuid code for the worker in slave mode.
2006-12-02 15:45:51 +00:00
Eelco Dolstra
e2ef5e07fd * Refactoring. There is now an abstract interface class StoreAPI
containing functions that operate on the Nix store.  One
  implementation is LocalStore, which operates on the Nix store
  directly.  The next step, to enable secure multi-user Nix, is to
  create a different implementation RemoteStore that talks to a
  privileged daemon process that uses LocalStore to perform the actual
  operations.
2006-11-30 17:43:04 +00:00
Eelco Dolstra
0541ddc7e3 * Turn off synchronisation between C and C++ I/O functions. This
gives a huge speedup in operations that read or write from standard
  input/output.  (So libstdc++'s I/O isn't that bad, you just have to
  call std::ios::sync_with_stdio(false).)  For instance, `nix-store
  --register-substitutes' went from 1.4 seconds to 0.1 seconds on a
  certain input.  Another victory for Valgrind.
2006-11-18 18:56:30 +00:00
Eelco Dolstra
4ad6fb7ea3 * Fix setuid builds. 2006-09-27 21:04:07 +00:00
Eelco Dolstra
bafc1690fc * Move setuid stuff to libutil.
* Install libexpr header files.
2006-09-04 22:55:28 +00:00
Eelco Dolstra
2382a729e0 * Don't need extern "C". 2006-09-04 21:50:39 +00:00
Eelco Dolstra
75068e7d75 * Use a proper namespace.
* Optimise header file usage a bit.
* Compile the parser as C++.
2006-09-04 21:06:23 +00:00
Eelco Dolstra
aab8812732 * Store the Nix libraries in ${libdir}/nix instead of ${libdir}. 2006-09-04 15:12:24 +00:00
Eelco Dolstra
547b119f25 * Support singleton values and nested lists again in `args', but print
a warning.
2006-08-29 15:40:49 +00:00
Eelco Dolstra
d19b6521fc * New configuration setting `build-max-jobs' which sets the default
for the `-j' flag (i.e., the maximum number of jobs to execute in
  parallel).  Useful on multi-processor machines.
2006-08-10 20:19:13 +00:00
Eelco Dolstra
a4273156c4 * Use $(libexecdir) to find find-runtime-roots.pl. 2006-07-20 13:21:37 +00:00
Eelco Dolstra
d51aede4af * Allow the canonical system name to be specified at runtime in the
Nix config file.
2006-07-06 15:30:37 +00:00
Eelco Dolstra
b5988004d6 * Support for srcdir != builddir (NIX-41). 2006-05-12 11:47:45 +00:00
Eelco Dolstra
fdea084c36 * Allow `make check' to work in directories that have symlink
components.
2006-03-10 22:27:26 +00:00
Eelco Dolstra
d822bf32e4 * Close the database before the destructor runs. 2006-03-01 16:36:35 +00:00
Eelco Dolstra
5b527901ae * dirOf: return "/", not "", for paths in the root directory. Fixes NIX-26. 2006-01-09 14:52:46 +00:00
Eelco Dolstra
9311ab76a5 * Install signal handlers for SIGTERM and SIGHUP. This ensures that
Nix is properly shut down when it receives those signals.  In
  particular this ensures that killing the garbage collector doesn't
  cause a subsequent database recovery.
2005-11-04 15:34:09 +00:00
Eelco Dolstra
32282abcea * Beginning of secure multi-user Nix stores. If Nix is started as
root (or setuid root), then builds will be performed under one of
  the users listed in the `build-users' configuration variables.  This
  is to make it impossible to influence build results externally,
  allowing locally built derivations to be shared safely between
  users (see ASE-2005 paper).

  To do: only one builder should be active per build user.
2005-10-17 15:33:24 +00:00
Eelco Dolstra
4c20a08293 * Build dynamic libraries. 2005-07-22 14:52:45 +00:00
Eelco Dolstra
a37338815d * A GC setting `gc-keep-outputs' to specify whether output paths of
derivations should be kept.
2005-02-01 22:07:48 +00:00
Eelco Dolstra
dcc37c236c * nix-store, nix-instantiate: added an option `--add-root' to
immediately add the result as a permanent GC root.  This is the only
  way to prevent a race with the garbage collector.  For instance, the
  old style

    ln -s $(nix-store -r $(nix-instantiate foo.nix)) \
      /nix/var/nix/gcroots/result

  has two time windows in which the garbage collector can interfere
  (by GC'ing the derivation and the output, respectively).  On the
  other hand,

    nix-store --add-root /nix/var/nix/gcroots/result -r \
      $(nix-instantiate --add-root /nix/var/nix/gcroots/drv \
        foo.nix)

  is safe.

* nix-build: use `--add-root' to prevent GC races.
2005-02-01 12:36:25 +00:00
Eelco Dolstra
207bdcbe86 * Automatically remove temporary root files. 2005-01-31 21:20:59 +00:00
Eelco Dolstra
22cfdfa246 * Use NIX_STORE environment variable to locate the store (in addition
to NIX_STORE_DIR) so that Nix invocations in builders in `make
  check' work correctly if the store doesn't exist.
2005-01-28 13:19:16 +00:00
Eelco Dolstra
96de272b48 * Renamed normalise.cc' -> build.cc', `storeexprs.cc' ->
`derivations.cc', etc.
* Store the SHA-256 content hash of store paths in the database after
  they have been built/added.  This is so that we can check whether
  the store has been messed with (a la `rpm --verify').
* When registering path validity, verify that the closure property
  holds.
2005-01-19 16:39:47 +00:00
Eelco Dolstra
9530cc3170 * Start move towards SHA-256 hashes instead of MD5.
* Start cleaning up unique store path generation (they weren't always
  unique; in particular the suffix ("-aterm-2.2", "-builder.sh") was
  not part of the hash, therefore changes to the suffix would cause
  multiple store objects with the same hash).
2005-01-14 13:51:38 +00:00
Eelco Dolstra
a69534fc21 * Drop ATmake / ATMatcher also in handling store expressions. 2004-10-29 11:22:49 +00:00
Eelco Dolstra
f4d44a0026 * Allow certain operations to succeed even if we don't have write
permission to the Nix store or database.  E.g., `nix-env -qa' will
  work, but `nix-env -qas' won't (the latter needs DB access).  The
  option `--readonly-mode' forces this mode; otherwise, it's only
  activated when the database cannot be opened.
2004-10-25 14:38:23 +00:00
Eelco Dolstra
3ade3e7721 * Revert r1594 - it didn't solve the problem. Instead add
svn-revision to distributions, which should fix it.
2004-10-25 13:51:34 +00:00
Eelco Dolstra
2248becfd3 * Make sure that the prerelease version is included in `--version'. 2004-10-25 12:15:50 +00:00
Eelco Dolstra
dcc433de47 * Operation `--delete-generations' to delete generations of a
profile.  Arguments are either generation number, or `old' to delete
  all non-current generations.  Typical use:

  $ nix-env --delete-generations old
  $ nix-collect-garbage

* istringstream -> string2Int.
2004-09-10 13:32:08 +00:00
Eelco Dolstra
47f87072ad * A very dirty hack to make setuid installations a bit nicer to use.
Previously there was the problem that all files read by nix-env
  etc. should be reachable and readable by the Nix user.  So for
  instance building a Nix expression in your home directory meant that
  the home directory should have at least g+x or o+x permission so
  that the Nix user could reach the Nix expression.  Now we just
  switch back to the original user just prior to reading sources and
  the like.  The places where this happens are somewhat arbitrary,
  however.  Any scope that has a live SwitchToOriginalUser object in
  it is executed as the original user.

* Back out r1385.  setreuid() sets the saved uid to the new
  real/effective uid, which prevents us from switching back to the
  original uid.  setresuid() doesn't have this problem (although the
  manpage has a bug: specifying -1 for the saved uid doesn't leave it
  unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
Eelco Dolstra
5396304c73 * Use setre[ug]id() instead of setres[ug]id(), since the former is
more common than the latter (which exists only on Linux and
  FreeBSD).  We don't really care about dropping the saved IDs since
  there apparently is no way to quiry them in any case, so it can't
  influence the build (unlike the effective IDs which are checked by
  Perl for instance).
2004-09-09 15:55:31 +00:00
Eelco Dolstra
e043fc7d0b * Set the umask to known value (0022). This is important in a
setuid installation, since the calling user may have a more fascist
  umask (say, 0077), which would cause the store objects built by Nix
  to be unreadable to anyone other than the Nix user.
2004-09-09 14:16:02 +00:00
Eelco Dolstra
8f58733ef1 * The gid should also match. 2004-08-20 15:47:58 +00:00
Eelco Dolstra
1c90fabccc * Unbreak programs that are not setuid (such as nix-hash). 2004-08-20 15:31:46 +00:00
Eelco Dolstra
e77fbe0fa2 * On systems that have the setresuid() and setresgid() system calls to
set the real uid and gid to the effective uid and gid, the Nix
  binaries can be installed as owned by the Nix user and group instead
  of root, so no root involvement of any kind is necessary.

  Linux and FreeBSD have these functions.
2004-08-20 15:22:33 +00:00
Eelco Dolstra
2d35116c13 * Setuid support for sharing a Nix installation between multiple
users.

  If the configure flag `--enable-setuid' is used, the Nix programs
  nix-env, nix-store, etc. are installed with the setuid bit turned on
  so that they are executed as the user and group specified by
  `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
  (with defaults `nix' and `nix').

  The setuid programs drop all special privileges if they are executed
  by a user who is not a member of the Nix group.

  The setuid feature is a quick hack to enable sharing of a Nix
  installation between users who trust each other.  It is not
  generally secure, since any user in the Nix group can modify (by
  building an appropriate derivation) any object in the store, and for
  instance inject trojans into binaries used by other users.

  The setuid programs are owned by root, not the Nix user.  This is
  because on Unix normal users cannot change the real uid, only the
  effective uid.  Many programs don't work properly when the real uid
  differs from the effective uid.  For instance, Perl will turn on
  taint mode.  However, the setuid programs drop all root privileges
  immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
Eelco Dolstra
1eddee59f2 * The default verbosity level of all Nix commands is now lvlInfo.
* Builder output is written to standard error by default.
  * The option `-B' is gone.
  * The option `-Q' suppresses builder output.

The result of this is that most Nix invocations shouldn't need any
flags w.r.t. logging.
2004-08-18 12:19:06 +00:00
Eelco Dolstra
91dc023665 * Added a switch `--fallback'. From the manual:
Whenever Nix attempts to realise a derivation for which a closure is
  already known, but this closure cannot be realised, fall back on
  normalising the derivation.

  The most common scenario in which this is useful is when we have
  registered substitutes in order to perform binary distribution from,
  say, a network repository.  If the repository is down, the
  realisation of the derivation will fail.  When this option is
  specified, Nix will build the derivation instead.  Thus, binary
  installation falls back on a source installation.  This option is
  not the default since it is generally not desirable for a transient
  failure in obtaining the substitutes to lead to a full build from
  source (with the related consumption of resources).
2004-06-28 10:42:57 +00:00
Eelco Dolstra
b113edeab7 * A flag `--keep-going / -k' to keep building goals if one fails, as
much as possible.  (This is similar to GNU Make's `-k' flag.)

* Refactoring to implement this: previously we just bombed out when
  a build failed, but now we have to clean up.  In particular this
  means that goals must be freed quickly --- they shouldn't hang
  around until the worker exits.  So the worker now maintains weak
  pointers in order not to prevent garbage collection.

* Documented the `-k' and `-j' flags.
2004-06-25 15:36:09 +00:00
Eelco Dolstra
a8306cb98f * The build hooks used to implement distributed builds can now be run
in parallel.  Hooks are more efficient: locks on output paths are
  only acquired when the hook says that it is willing to accept a
  build job.  Hooks now work in two phases.  First, they should first
  tell Nix whether they are willing to accept a job.  Nix guarantuees
  that no two hooks will ever be in the first phase at the same time
  (this simplifies the implementation of hooks, since they don't have
  to perform locking (?)).  Second, if they accept a job, they are
  then responsible for building it (on the remote system), and copying
  the result back.  These can be run in parallel with other hooks and
  locally executed jobs.

  The implementation is a bit messy right now, though.  

* The directory `distributed' shows a (hacky) example of a hook that
  distributes build jobs over a set of machines listed in a
  configuration file.
2004-05-13 19:14:49 +00:00
Eelco Dolstra
efa5fa1a91 * A switch `-j NUMBER' to set the maximum number of parallel jobs (0 =
no limit).
* Add missing file to distribution.
2004-05-12 14:20:32 +00:00
Eelco Dolstra
8c0b42f857 * An quick and dirty hack to support distributed builds. 2004-05-12 09:35:51 +00:00
Eelco Dolstra
c8d3882cdc * True parallel builds. Nix can now run as many build jobs in
parallel as possible (similar to GNU Make's `-j' switch).  This is
  useful on SMP systems, but it is especially useful for doing builds
  on multiple machines.  The idea is that a large derivation is
  initiated on one master machine, which then distributes
  sub-derivations to any number of slave machines.  This should not
  happen synchronously or in lock-step, so the master must be capable
  of dealing with multiple parallel build jobs.  We now have the
  infrastructure to support this.

  TODO: substitutes are currently broken.
2004-05-11 18:05:44 +00:00
Eelco Dolstra
256eeab711 * Allow the location of the store etc. to be specified using
environment variables.
* Started adding some automatic tests.
* Do a `make check' when building RPMs.
2004-05-04 12:15:30 +00:00
Eelco Dolstra
f8cd904e05 * Disallow the Nix store or any of its parents from being symlinks.
This is because the contents of these symlinks are not incorporated
  into the hashes of derivations, and could therefore cause a mismatch
  between the build system and the target system.  E.g., if
  `/nix/store' is a symlink to `/data/nix/store', then a builder could
  expand this path and store the result.  If on the target system
  `/nix/store' is not a symlink, or is a symlink that points somewhere
  else, we have a dangling pointer.

  The trigger for this change is that gcc 3.3.3 does exactly that (it
  applies realpath() to some files, such as libraries, which causes
  our impurity checker to bail out.)

  An annoying side-effect of this change is that it makes it harder to
  move the Nix store to a different file system.  On Linux, bind
  mounts can be used instead of symlink for this purpose (e.g., `mount
  -o bind /data/nix/store /nix/store').
2004-03-27 17:58:04 +00:00
Eelco Dolstra
777e13b94b * Nix now has three different formats for the log information it
writes to stderr:
  
  - `pretty': the old nested style (default)
  - `escapes': uses escape codes to indicate nesting and message
    level; can be processed using `log2xml'
  - `flat': just plain text, no nesting

  These can be set using `--log-type TYPE' or the NIX_LOG_TYPE
  environment variable.
2004-03-22 20:53:49 +00:00
Eelco Dolstra
0dfdafdf6d * Allow linking against an external Berkeley DB / ATerm library. 2004-02-16 16:37:16 +00:00
Eelco Dolstra
f34de12140 * Allow the location of the store to be specified (--with-store-dir).
* Do not create stuff in localstatedir when doing `make install'
  (since we may not have write access).  In general, installation of
  constant code/data should be separate from the initialisation of
  mutable state.
2004-02-16 15:23:19 +00:00
Eelco Dolstra
76c0e85929 * The environment variable NIX_ROOT can now be set to execute Nix in a
chroot() environment.
* A operation `--validpath' to register path validity.  Useful for
  bootstrapping in a pure Nix environment.
* Safety checks: ensure that files involved in store operations are in
  the store.
2004-02-14 21:44:18 +00:00
Eelco Dolstra
d9f30fe7c7 * Sort `nix-env -q' output by derivation name.
* `--version' flag for all commands.
* Manual updates.
2004-02-02 10:51:54 +00:00
Eelco Dolstra
291030b900 * Remove debug message. 2004-01-15 20:58:44 +00:00
Eelco Dolstra
447089a5f6 * Catch SIGINT to terminate cleanly when the user tries to interrupt
Nix.  This is to prevent Berkeley DB from becoming wedged.

  Unfortunately it is not possible to throw C++ exceptions from a
  signal handler.  In fact, you can't do much of anything except
  change variables of type `volatile sig_atomic_t'.  So we set an
  interrupt flag in the signal handler and check it at various
  strategic locations in the code (by calling checkInterrupt()).
  Since this is unlikely to cover all cases (e.g., (semi-)infinite
  loops), sometimes SIGTERM may now be required to kill Nix.
2004-01-15 20:23:55 +00:00
Eelco Dolstra
ff9af107d3 * Option `-B' to always show the output of builders, regardless of
verbosity level.
2004-01-13 16:35:43 +00:00
Eelco Dolstra
833f2fc92d * GCC 2.95 compatibility. 2003-12-22 16:40:46 +00:00
Eelco Dolstra
078e20885e * Help text for all (non-script) programs, so no more:
$ nix-instantiate --help
error: unknown flag `--help`
Try `nix-instantiate --help' for more information.

:-)
2003-12-01 15:55:05 +00:00
Eelco Dolstra
66c115ef5f * More `make dist' fixes. 2003-11-25 13:01:21 +00:00
Eelco Dolstra
9898746ef3 * nix-env: a tool to manage user environments.
* Replace all directory reading code by a generic readDirectory()
  function.
2003-11-19 17:27:16 +00:00
Eelco Dolstra
9f0f020929 * libnix -> libstore. 2003-11-18 10:55:27 +00:00
Eelco Dolstra
8798fae304 * Source tree refactoring. 2003-11-18 10:47:59 +00:00
Eelco Dolstra
15801c88fa * Turned the msg() and debug() functions into macros, since they
turned out to be a huge performance bottleneck (the text to printed
  would always be evaluated, even when it was above the verbosity
  level).  This reduces fix-ng execution time by over 50%.

  gprof(1) is very useful. :-)
2003-11-09 10:35:45 +00:00
Eelco Dolstra
ff31324278 * Ignore options passed to the aterm library. 2003-11-03 18:21:53 +00:00
Eelco Dolstra
c62433751d * Finished refactoring the tree. 2003-10-20 10:05:01 +00:00
Eelco Dolstra
53e376d836 * Refactored the source tree. 2003-10-20 09:20:11 +00:00