Merge "libstore/build: just copy the magic /etc files into the sandbox" into main

author: Ilya K <me@0upti.me> 2024-04-13 12:15:20 +0000
committer: Gerrit Code Review <gerrit@lix> 2024-04-13 12:15:20 +0000
commit: 8d15e6af4b7446b8f542edfee8da035c97bdbbca (patch)
tree: 8aabab305442feb70569994791163b58548df334 /src/libstore
parent: ded64e282240fc651a9dcbadd270096058cb0373 (diff)
parent: b469c6509ba616da6df8a27e4ccb205a877c66c9 (diff)
1 files changed, 21 insertions, 4 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 588fe33ba..193fc598e 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -410,7 +410,7 @@ static void doBind(const Path & source, const Path & target, bool optional = fal
     } else if (S_ISLNK(st.st_mode)) {
         // Symlinks can (apparently) not be bind-mounted, so just copy it
         createDirs(dirOf(target));
-        copyFile(source, target, /* andDelete */ false);
+        copyFile(source, target, {});
     } else {
         createDirs(dirOf(target));
         writeFile(target, "");
@@ -1811,8 +1811,25 @@ void LocalDerivationGoal::runChild()
                    happens when testing Nix building fixed-output derivations
                    within a pure derivation. */
                 for (auto & path : { "/etc/resolv.conf", "/etc/services", "/etc/hosts" })
-                    if (pathExists(path))
-                        ss.push_back(path);
+                    if (pathExists(path)) {
+                        // Copy the actual file, not the symlink, because we don't know where
+                        // the symlink is pointing, and we don't want to chase down the entire
+                        // chain.
+                        //
+                        // This means if your network config changes during a FOD build,
+                        // the DNS in the sandbox will be wrong. However, this is pretty unlikely
+                        // to actually be a problem, because FODs are generally pretty fast,
+                        // and machines with often-changing network configurations probably
+                        // want to run resolved or some other local resolver anyway.
+                        //
+                        // There's also just no simple way to do this correctly, you have to manually
+                        // inotify watch the files for changes on the outside and update the sandbox
+                        // while the build is running (or at least that's what Flatpak does).
+                        //
+                        // I also just generally feel icky about modifying sandbox state under a build,
+                        // even though it really shouldn't be a big deal. -K900
+                        copyFile(path, chrootRootDir + path, { .followSymlinks = true });
+                    }
 
                 if (settings.caFile != "")
                     pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
@@ -2542,7 +2559,7 @@ SingleDrvOutputs LocalDerivationGoal::registerOutputs()
                 // that there's no stale file descriptor pointing to it
                 Path tmpOutput = actualPath + ".tmp";
                 movePath(actualPath, tmpOutput);
-                copyFile(tmpOutput, actualPath, true);
+                copyFile(tmpOutput, actualPath, { .deleteAfter = true });
 
                 auto newInfo0 = newInfoFromCA(DerivationOutput::CAFloating {
                     .method = dof.ca.method,
author	Ilya K <me@0upti.me>	2024-04-13 12:15:20 +0000
committer	Gerrit Code Review <gerrit@lix>	2024-04-13 12:15:20 +0000
commit	8d15e6af4b7446b8f542edfee8da035c97bdbbca (patch)
tree	8aabab305442feb70569994791163b58548df334 /src/libstore
parent	ded64e282240fc651a9dcbadd270096058cb0373 (diff)
parent	b469c6509ba616da6df8a27e4ccb205a877c66c9 (diff)