nordic-dev.net/nix
nordic-dev.net/nix
2
0
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2024-11-24 07:42:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,403 Commits 198 Branches 183 Tags 244 MiB
backport-11009-to-2.23-maintenance
Commit Graph

10576 Commits

Author SHA1 Message Date
kn
4e781b4eaa Use proper struct sockpeercred for SO_PEERCRED for OpenBSD 
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).

(cherry picked from commit 10ccdb7a41)
 2024-07-03 15:57:17 +00:00
John Ericson
5d32212b27 Ident some CPP in nix daemon 
Makes it easier for me to read.

(cherry picked from commit a09360400b)
 2024-07-03 15:57:17 +00:00
Robert Hensing
6432c21b01 Fix #10947; don't cache disallowed IFD 
(cherry picked from commit fd94b74ee5)
 2024-07-01 11:25:08 +02:00
tomberek
20ac781190
Merge pull request from GHSA-q82p-44mg-mgh5 
Fix sandbox escape 2.23
 2024-06-26 18:49:22 -04:00
Shogo Takata
fd14479103 accept response from gitlab with more than one entry 
(cherry picked from commit 0468061dd2)
 2024-06-24 12:24:06 +00:00
Eelco Dolstra
07b9fae361 Fix --no-sandbox 
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit d54590fdf3)
 2024-06-21 17:07:59 +02:00
Eelco Dolstra
71af23ff18 Formatting 
(cherry picked from commit 58b7b3fd15)
 2024-06-21 17:07:55 +02:00
Eelco Dolstra
0882b75ceb Put the chroot inside a directory that isn't group/world-accessible 
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.

(cherry picked from commit ede95b1fc1)
 2024-06-21 17:07:51 +02:00
Théophane Hufschmitt
930bb21893 Run the builds in a daemon-controled directory 
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.

(cherry picked from commit 1d3696f0fb)
 2024-06-21 17:07:41 +02:00
John Ericson
bbccb2fc43 hash: Compare hash algo second for back compat 
Previously (in cfc18a7739), we forgot to
compare the algo at all. This means we keep the same ordering as before
by making the stuff we always have compared take priority.

(cherry picked from commit 25a9894943)
 2024-06-12 23:35:49 +00:00
Tom Bereknyei
19b179cb08 fix: remove usage of XDG_RUNTIME_DIR for TMP 
(cherry picked from commit 1363f51bcb)
 2024-06-10 13:40:45 +00:00
Eelco Dolstra
61ab873a22 Typo 
(cherry picked from commit 3e72ed9743)
 2024-06-05 14:48:28 +00:00
Eelco Dolstra
4d788bda18 PackageInfo::queryDrvPath(): Don't dereference an empty optional 
Fixes a regression introduced in f923ed6b6a.

https://hydra.nixos.org/build/262267313
(cherry picked from commit d2eeabf3e6)
 2024-06-05 14:48:28 +00:00
Eelco Dolstra
21be03b233
Merge pull request #10840 from obsidiansystems/libutil-pkg-config 
Create and install a `nix-util.pc`
 2024-06-04 12:33:37 +02:00
Philipp
214051ba79
clarify not on nix_value_force (#10842) 
* clarify not on `nix_value_force`

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
 2024-06-04 07:41:04 +00:00
John Ericson
06be6812a6 Create and install a nix-util.pc 
Before, `-lnixutil` was just stuck in `nix-store.pc`, but that doesn't
seem so nice.

This prepares us to distribute `libnixutil` in a separate package if we
want, but it should be a good change either way. I suspect it wasn't
done before because libutil was an extra unstable interface, but I don't
think we need worry about that. *All* the C++ is less stable than the C
(or that's the goal at least).

For what it's worth, Lix also created this pkg-config file *en passant*
during their rename:
c97e17144e (diff-3c4f60cc44a0e35444c7f45331cfa50f76637118)
 2024-06-03 14:14:40 -04:00
Eelco Dolstra
da92ad7dd2
Merge pull request #10592 from hercules-ci/builtins-warn 
Add `builtins.warn`
 2024-06-03 17:16:32 +02:00
Robert Hensing
70b1036224 builtins.warn: Use new EvalBaseError + "evaluation warning" 2024-06-03 16:24:21 +02:00
Robert Hensing
831d96d8d7 builtins.warn: Do not throw EvalError 2024-06-03 16:24:21 +02:00
Robert Hensing
c07500e14d refactor: Extract EvalState::{runDebugRepl,canDebug} 2024-06-03 16:24:21 +02:00
Robert Hensing
da82d67022 builtins.warn: Require string argument 
... so that we may perhaps later extend the interface.
Note that Nixpkgs' lib.warn already requires a string coercible
argument, so this is reasonable. Also note that string coercible
values aren't all strings, but in practice, for warn, they are.
 2024-06-03 16:24:21 +02:00
Robert Hensing
923cbea2af builtins.warn: Use logWarning 
Constructing ErrorInfo is a little awkward for now, but this does
produce a richer log entry.
 2024-06-03 16:24:21 +02:00
Robert Hensing
2d4c9d8f4a Add builtins.warn 2024-06-03 16:24:21 +02:00
Eelco Dolstra
54a9fbe5d6 Merge remote-tracking branch 'origin/master' into large-path-warning 2024-06-03 16:17:52 +02:00
Eelco Dolstra
eb0d46fab6
Merge pull request #9897 from bryango/fix-submodule-subdir 
libutil/url: fix git+file:./ parse error
 2024-06-03 16:04:41 +02:00
Eelco Dolstra
ac3e5d22e3
Merge pull request #10028 from DavHau/fetchTree-shallow-default 
fetchTree: shallow git fetching by default
 2024-06-03 16:02:34 +02:00
John Ericson
4e62629a2d
Merge pull request #10833 from obsidiansystems/hash-ordering 
Modernize `Hash` ordering with C++20 `<=>`
 2024-06-03 09:50:04 -04:00
Eelco Dolstra
deac00c6d0 Rename large-path-warning-threshold -> warn-large-path-threshold 2024-06-03 15:49:15 +02:00
Eelco Dolstra
7f5b57d18f Merge remote-tracking branch 'origin/master' into large-path-warning 2024-06-03 15:32:27 +02:00
Eelco Dolstra
ecfad6a828
Merge pull request #10564 from edolstra/remove-forceErrors 
AttrCursor: Remove forceErrors
 2024-06-03 15:30:01 +02:00
John Ericson
cfc18a7739 Modernize Hash ordering with C++20 <=> 
Progress on #10832

This doesn't switch to auto-deriving the fields, but by defining `<=>`
we allow deriving `<=>` in downstream types where `Hash` is used.
 2024-06-03 09:24:33 -04:00
Eelco Dolstra
d16fcaee21
Merge pull request #10782 from obsidiansystems/both-connections 
Factor our connection code for worker proto like serve proto
 2024-06-03 15:10:38 +02:00
John Ericson
84c65135a5 ValidPathInfo JSON format should use null not omit field 
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
 2024-06-03 08:21:22 -04:00
John Ericson
213a7a87b4 Decouple within-build (structured attrs) and unstable CLI path info JSON 
See code comment for details.

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
 2024-06-03 08:21:22 -04:00
Robert Hensing
b74a0df645
Merge pull request #10825 from tie/output-spec-assert 
Fix empty outputsToInstall for InstallableAttrPath
 2024-06-03 12:27:50 +02:00
Philipp Zander
25e2b1f7f7 improve note in nix_value_force documentation 2024-06-03 09:55:44 +02:00
Ivan Trubach
68090d7ff1 Fix empty outputsToInstall for InstallableAttrPath 
Fixes assertion failure if outputsToInstall is empty by defaulting to the "out"
output. That is, behavior between the following commands should be consistent:

	$ nix build --no-link --json .#nothing-to-install-no-out
	error: derivation '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-nothing-to-install-no-out.drv' does not have wanted outputs 'out'

	$ nix build --no-link --file default.nix --json nothing-to-install-no-out
	error: derivation '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-nothing-to-install-no-out.drv' does not have wanted outputs 'out'

Real-world example of this issue:

	$ nix build --json .#.legacyPackages.aarch64-linux.texlive.pkgs.iwona
	error: derivation '/nix/store/dj0h6b0pnlnan5nidnhqa0bmzq4rv6sx-iwona-0.995b.drv' does not have wanted outputs 'out'

	$ git rev-parse HEAD
	eee33247cf6941daea8398c976bd2dda7962b125
	$ nix build --json --file . texlive.pkgs.iwona
	nix: src/libstore/outputs-spec.hh:46: nix::OutputsSpec::Names::Names(std::set<std::__cxx11::basic_string<char> >&&): Assertion `!empty()' failed.
	Aborted (core dumped)
 2024-06-02 14:26:18 +03:00
John Ericson
e0b159549b Misc Windows fixes 
1. Fix build by making the legacy SSH Storey's secret `logFD` setting
   not a setting on Windows. (It doesn't make sense to specify `void *`
   handles by integer cross-proccess, I don't think.)

2. Move some files that don't need to be Unix-only anymore back to their
   original locations.
 2024-06-01 19:19:35 -04:00
Robert Hensing
802b4e403b
Merge pull request #10814 from Mic92/fix-nix-edit 
Fix nix edit
 2024-05-31 13:30:24 +02:00
Robert Hensing
84e116379c
Merge pull request #10812 from Mic92/build-perf 
Remove 100s of CPU time (10%) from build times (1465s -> 1302s)
 2024-05-31 13:28:24 +02:00
Jade Lovelace
473d2d56fc Remove 100s of CPU time (10%) from build times (1465s -> 1302s) 
Result's from Mic92's framework 13th Gen Intel Core i7-1360P:

Before: 3595.92s user 183.01s system 1360% cpu 4:37.74 total
After: 3486.07s user 168.93s system 1354% cpu 4:29.79 total

I saw that boost/lexical_cast was costing about 100s in CPU time on our
compiles. We can fix this trivially by doing explicit template
instantiation in exactly one place and eliminating all other includes of
it, which is a code improvement anyway by hiding the boost.

Before:
```
lix/lix2 » ClangBuildAnalyzer --analyze buildtimeold.bin
Analyzing build trace from 'buildtimeold.bin'...
**** Time summary:
Compilation (551 times):
  Parsing (frontend):         1465.3 s
  Codegen & opts (backend):   1110.9 s

<snip>

**** Expensive headers:
178153 ms: ../src/libcmd/installable-value.hh (included 52 times, avg 3426 ms), included via:
  40x: command.hh
  5x: command-installable-value.hh
  3x: installable-flake.hh
  2x: <direct include>
  2x: installable-attr-path.hh

176217 ms: ../src/libutil/error.hh (included 246 times, avg 716 ms), included via:
  36x: command.hh installable-value.hh installables.hh derived-path.hh config.hh experimental-features.hh
  12x: globals.hh config.hh experimental-features.hh
  11x: file-system.hh file-descriptor.hh
  6x: serialise.hh strings.hh
  6x: <direct include>
  6x: archive.hh serialise.hh strings.hh
  ...

173243 ms: ../src/libstore/store-api.hh (included 152 times, avg 1139 ms), included via:
  55x: <direct include>
  39x: command.hh installable-value.hh installables.hh
  7x: libexpr.hh
  4x: local-store.hh
  4x: command-installable-value.hh installable-value.hh installables.hh
  3x: binary-cache-store.hh
  ...

170482 ms: ../src/libutil/serialise.hh (included 201 times, avg 848 ms), included via:
  37x: command.hh installable-value.hh installables.hh built-path.hh realisation.hh hash.hh
  14x: store-api.hh nar-info.hh hash.hh
  11x: <direct include>
  7x: primops.hh eval.hh attr-set.hh nixexpr.hh value.hh source-path.hh archive.hh
  7x: libexpr.hh value.hh source-path.hh archive.hh
  6x: fetchers.hh hash.hh
  ...

169397 ms: ../src/libcmd/installables.hh (included 53 times, avg 3196 ms), included via:
  40x: command.hh installable-value.hh
  5x: command-installable-value.hh installable-value.hh
  3x: installable-flake.hh installable-value.hh
  2x: <direct include>
  1x: installable-derived-path.hh
  1x: installable-value.hh
  ...

159740 ms: ../src/libutil/strings.hh (included 221 times, avg 722 ms), included via:
  37x: command.hh installable-value.hh installables.hh built-path.hh realisation.hh hash.hh serialise.hh
  19x: <direct include>
  14x: store-api.hh nar-info.hh hash.hh serialise.hh
  11x: serialise.hh
  7x: primops.hh eval.hh attr-set.hh nixexpr.hh value.hh source-path.hh archive.hh serialise.hh
  7x: libexpr.hh value.hh source-path.hh archive.hh serialise.hh
  ...

156796 ms: ../src/libcmd/command.hh (included 51 times, avg 3074 ms), included via:
  42x: <direct include>
  7x: command-installable-value.hh
  2x: installable-attr-path.hh

150392 ms: ../src/libutil/types.hh (included 251 times, avg 599 ms), included via:
  36x: command.hh installable-value.hh installables.hh path.hh
  11x: file-system.hh
  10x: globals.hh
  6x: fetchers.hh
  6x: serialise.hh strings.hh error.hh
  5x: archive.hh
  ...

133101 ms: /nix/store/644b90j1vms44nr18yw3520pzkrg4dd1-boost-1.81.0-dev/include/boost/lexical_cast.hpp (included 226 times, avg 588 ms), included via
:
  37x: command.hh installable-value.hh installables.hh built-path.hh realisation.hh hash.hh serialise.hh strings.hh
  19x: file-system.hh
  11x: store-api.hh nar-info.hh hash.hh serialise.hh strings.hh
  7x: primops.hh eval.hh attr-set.hh nixexpr.hh value.hh source-path.hh archive.hh serialise.hh strings.hh
  7x: libexpr.hh value.hh source-path.hh archive.hh serialise.hh strings.hh
  6x: eval.hh attr-set.hh nixexpr.hh value.hh source-path.hh archive.hh serialise.hh strings.hh
  ...

132887 ms: /nix/store/h2abv2l8irqj942i5rq9wbrj42kbsh5y-gcc-12.3.0/include/c++/12.3.0/memory (included 262 times, avg 507 ms), included via:
  36x: command.hh installable-value.hh installables.hh path.hh types.hh ref.hh
  16x: gtest.h
  11x: file-system.hh types.hh ref.hh
  10x: globals.hh types.hh ref.hh
  10x: json.hpp
  6x: serialise.hh
  ...

  done in 0.6s.
```

After:
```
lix/lix2 » maintainers/buildtime_report.sh build
Processing all files and saving to '/home/jade/lix/lix2/maintainers/../buildtime.bin'...
  done in 0.6s. Run 'ClangBuildAnalyzer --analyze /home/jade/lix/lix2/maintainers/../buildtime.bin' to analyze it.
Analyzing build trace from '/home/jade/lix/lix2/maintainers/../buildtime.bin'...
**** Time summary:
Compilation (551 times):
  Parsing (frontend):         1302.1 s
  Codegen & opts (backend):    956.3 s

<snip>

**** Expensive headers:
178145 ms: ../src/libutil/error.hh (included 246 times, avg 724 ms), included via:
  36x: command.hh installable-value.hh installables.hh derived-path.hh config.hh experimental-features.hh
  12x: globals.hh config.hh experimental-features.hh
  11x: file-system.hh file-descriptor.hh
  6x: <direct include>
  6x: serialise.hh strings.hh
  6x: fetchers.hh hash.hh serialise.hh strings.hh
  ...

154043 ms: ../src/libcmd/installable-value.hh (included 52 times, avg 2962 ms), included via:
  40x: command.hh
  5x: command-installable-value.hh
  3x: installable-flake.hh
  2x: <direct include>
  2x: installable-attr-path.hh

153593 ms: ../src/libstore/store-api.hh (included 152 times, avg 1010 ms), included via:
  55x: <direct include>
  39x: command.hh installable-value.hh installables.hh
  7x: libexpr.hh
  4x: local-store.hh
  4x: command-installable-value.hh installable-value.hh installables.hh
  3x: binary-cache-store.hh
  ...

149948 ms: ../src/libutil/types.hh (included 251 times, avg 597 ms), included via:
  36x: command.hh installable-value.hh installables.hh path.hh
  11x: file-system.hh
  10x: globals.hh
  6x: fetchers.hh
  6x: serialise.hh strings.hh error.hh
  5x: archive.hh
  ...

144560 ms: ../src/libcmd/installables.hh (included 53 times, avg 2727 ms), included via:
  40x: command.hh installable-value.hh
  5x: command-installable-value.hh installable-value.hh
  3x: installable-flake.hh installable-value.hh
  2x: <direct include>
  1x: installable-value.hh
  1x: installable-derived-path.hh
  ...

136585 ms: ../src/libcmd/command.hh (included 51 times, avg 2678 ms), included via:
  42x: <direct include>
  7x: command-installable-value.hh
  2x: installable-attr-path.hh

133394 ms: /nix/store/h2abv2l8irqj942i5rq9wbrj42kbsh5y-gcc-12.3.0/include/c++/12.3.0/memory (included 262 times, avg 509 ms), included via:
  36x: command.hh installable-value.hh installables.hh path.hh types.hh ref.hh
  16x: gtest.h
  11x: file-system.hh types.hh ref.hh
  10x: globals.hh types.hh ref.hh
  10x: json.hpp
  6x: serialise.hh
  ...

89315 ms: ../src/libstore/derived-path.hh (included 178 times, avg 501 ms), included via:
  37x: command.hh installable-value.hh installables.hh
  25x: store-api.hh realisation.hh
  7x: primops.hh eval.hh attr-set.hh nixexpr.hh value.hh context.hh
  6x: eval.hh attr-set.hh nixexpr.hh value.hh context.hh
  6x: libexpr.hh value.hh context.hh
  6x: shared.hh
  ...

87347 ms: /nix/store/h2abv2l8irqj942i5rq9wbrj42kbsh5y-gcc-12.3.0/include/c++/12.3.0/ostream (included 273 times, avg 319 ms), included via:
  35x: command.hh installable-value.hh installables.hh path.hh types.hh ref.hh memory unique_ptr.h
  12x: regex sstream istream
  10x: file-system.hh types.hh ref.hh memory unique_ptr.h
  10x: gtest.h memory unique_ptr.h
  10x: globals.hh types.hh ref.hh memory unique_ptr.h
  6x: fetchers.hh types.hh ref.hh memory unique_ptr.h
  ...

85249 ms: ../src/libutil/config.hh (included 213 times, avg 400 ms), included via:
  37x: command.hh installable-value.hh installables.hh derived-path.hh
  20x: globals.hh
  20x: logging.hh
  16x: store-api.hh logging.hh
  6x: <direct include>
  6x: eval.hh attr-set.hh nixexpr.hh value.hh context.hh derived-path.hh
  ...

  done in 0.5s.
```

Adapated from 18aa3e1d57
 2024-05-31 13:00:09 +02:00
Robert Hensing
138aa2b0a7
Merge pull request #10807 from hercules-ci/issue-10504-nix-env-shell 
Add `nix env shell`
 2024-05-31 12:34:03 +02:00
Jörg Thalheim
e1a817fb1b fix nix edit in pure mode 
FilteringSourceAccessor was not delegating getPhysicalPath to its inner accessor.
 2024-05-31 10:39:30 +02:00
Linus Heckemann
a9031978da libfetchers: handle nonexistent refs in GitLab repos more gracefully 
Before:

$ nix flake lock --override-input nixpkgs gitlab:simple-nixos-mailserver/nixos-mailserver/nonexistent
fetching git input 'git+file:///home/linus/projects/lix'
fetching gitlab input 'gitlab:simple-nixos-mailserver/nixos-mailserver/nonexistent'
error: [json.exception.type_error.302] type must be string, but is null

After:

/tmp/inst/bin/nix flake lock --override-input nixpkgs gitlab:simple-nixos-mailserver/nixos-mailserver/nonexistent

warning: unknown experimental feature 'repl-flake'
error:
       … while updating the lock file of flake 'git+file:///home/joerg/git/nix?ref=refs/heads/master&rev=62693c2c37c8edd92f95114eb1387b461fc671df'

       … while updating the flake input 'nixpkgs'

       … while fetching the input 'gitlab:simple-nixos-mailserver/nixos-mailserver/nonexistent'

       error: No commits returned by GitLab API -- does the git ref really exist?

Adapted from: 3df013597d
 2024-05-31 08:24:53 +02:00
Robert Hensing
d93cc11491 Format 2024-05-30 19:41:58 +02:00
Robert Hensing
c692f6af13 nix env shell: Move from nix shell, add shorthand alias 2024-05-30 19:41:58 +02:00
Robert Hensing
98b85b2166 nix/main: Add AliasStatus::{Deprecated,AcceptedShorthand} 2024-05-30 19:41:58 +02:00
Robert Hensing
ef5c846e25
Merge pull request #10768 from obsidiansystems/legacy-ssh-expose-ssh-master-for-hydra 
Create `CommonSSHStoreConfig::createSSHMaster`
 2024-05-29 22:53:29 +02:00
Robert Hensing
1054ff0873
Merge pull request #10789 from nix-windows/windows-substitution-goal 
More work on the scheduler for windows
 2024-05-29 22:45:55 +02:00
Robert Hensing
154769544d
Merge pull request #10805 from hercules-ci/issue-10774 
libcmd: Fix #10774
 2024-05-29 22:39:00 +02:00