diff options
author | alois31 <alois1@gmx-topmail.de> | 2024-10-23 15:20:51 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@localhost> | 2024-10-23 15:20:51 +0000 |
commit | 2734a9cf94debc6baef4e7d4d9fa28cc28f5b31d (patch) | |
tree | ba6be97cc5ac268941b1c8ac10507786a720357c /src/libstore | |
parent | 5f1344dd8aec59ce654a0fac30b1842e2e68299c (diff) | |
parent | 689eb45630a183f0fbbd8864cb7a3c7cb1704451 (diff) |
* changes:
treewide: make more settings conditionally available
libstore/build: only send overridden settings to the build hook
treewide: consistently mark overridden settings as such
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build/hook-instance.cc | 2 | ||||
-rw-r--r-- | src/libstore/builtins/fetchurl.cc | 4 | ||||
-rw-r--r-- | src/libstore/daemon.cc | 19 | ||||
-rw-r--r-- | src/libstore/globals.cc | 18 | ||||
-rw-r--r-- | src/libstore/globals.hh | 20 | ||||
-rw-r--r-- | src/libstore/remote-store.cc | 1 |
6 files changed, 37 insertions, 27 deletions
diff --git a/src/libstore/build/hook-instance.cc b/src/libstore/build/hook-instance.cc index 521f34917..9f76eca4d 100644 --- a/src/libstore/build/hook-instance.cc +++ b/src/libstore/build/hook-instance.cc @@ -74,7 +74,7 @@ HookInstance::HookInstance() sink = FdSink(toHook.get()); std::map<std::string, Config::SettingInfo> settings; - globalConfig.getSettings(settings); + globalConfig.getSettings(settings, true); for (auto & setting : settings) sink << 1 << setting.first << setting.second.value; sink << 0; diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc index b28eb01d0..69a9f993f 100644 --- a/src/libstore/builtins/fetchurl.cc +++ b/src/libstore/builtins/fetchurl.cc @@ -13,11 +13,11 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData, this to be stored in a file. It would be nice if we could just pass a pointer to the data. */ if (netrcData != "") { - settings.netrcFile = "netrc"; + settings.netrcFile.override("netrc"); writeFile(settings.netrcFile, netrcData, 0600); } - settings.caFile = "ca-certificates.crt"; + settings.caFile.override("ca-certificates.crt"); writeFile(settings.caFile, caFileData, 0600); auto getAttr = [&](const std::string & name) { diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc index a9239197b..93b405c01 100644 --- a/src/libstore/daemon.cc +++ b/src/libstore/daemon.cc @@ -195,15 +195,15 @@ struct ClientSettings void apply(TrustedFlag trusted) { - settings.keepFailed = keepFailed; - settings.keepGoing = keepGoing; - settings.tryFallback = tryFallback; + settings.keepFailed.override(keepFailed); + settings.keepGoing.override(keepGoing); + settings.tryFallback.override(tryFallback); nix::verbosity = verbosity; - settings.maxBuildJobs.assign(maxBuildJobs); - settings.maxSilentTime = maxSilentTime; + settings.maxBuildJobs.override(maxBuildJobs); + settings.maxSilentTime.override(maxSilentTime); settings.verboseBuild = verboseBuild; - settings.buildCores = buildCores; - settings.useSubstitutes = useSubstitutes; + settings.buildCores.override(buildCores); + settings.useSubstitutes.override(useSubstitutes); for (auto & i : overrides) { auto & name(i.first); @@ -225,12 +225,13 @@ struct ClientSettings else warn("ignoring untrusted substituter '%s', you are not a trusted user.\n" "Run `man nix.conf` for more information on the `substituters` configuration option.", s); - res = subs; + res.override(subs); return true; }; try { - if (name == "ssh-auth-sock") // obsolete + if (name == "ssh-auth-sock" // obsolete + || name == "store") // the daemon *is* the store ; else if (name == experimentalFeatureSettings.experimentalFeatures.name) { // We don’t want to forward the experimental features to diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index f43b759d2..9377ac936 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -69,12 +69,12 @@ Settings::Settings() , nixManDir(canonPath(NIX_MAN_DIR)) , nixDaemonSocketFile(canonPath(getEnvNonEmpty("NIX_DAEMON_SOCKET_PATH").value_or(nixStateDir + DEFAULT_SOCKET_PATH))) { - buildUsersGroup = getuid() == 0 ? "nixbld" : ""; - allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1"; + buildUsersGroup.setDefault(getuid() == 0 ? "nixbld" : ""); + allowSymlinkedStore.setDefault(getEnv("NIX_IGNORE_SYMLINK_STORE") == "1"); auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or("")); if (sslOverride != "") - caFile = sslOverride; + caFile.setDefault(sslOverride); /* Backwards compatibility. */ auto s = getEnv("NIX_REMOTE_SYSTEMS"); @@ -82,17 +82,17 @@ Settings::Settings() Strings ss; for (auto & p : tokenizeString<Strings>(*s, ":")) ss.push_back("@" + p); - builders = concatStringsSep(" ", ss); + builders.setDefault(concatStringsSep(" ", ss)); } #if defined(__linux__) && defined(SANDBOX_SHELL) - sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL); + sandboxPaths.setDefault(tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL)); #endif /* chroot-like behavior from Apple's sandbox */ #if __APPLE__ - sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib"); - allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh"); + sandboxPaths.setDefault(tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib")); + allowedImpureHostPrefixes.setDefault(tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh")); #endif /* Set the build hook location @@ -118,10 +118,10 @@ Settings::Settings() if (!pathExists(nixExePath)) { nixExePath = getSelfExe().value_or("nix"); } - buildHook = { + buildHook.setDefault(Strings { nixExePath, "__build-remote", - }; + }); } void loadConfFile() diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index bfba6ab01..dfb90cbe6 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -380,7 +380,8 @@ public: users in `build-users-group`. UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS. - )"}; + )", + {}, true, Xp::AutoAllocateUids}; Setting<uint32_t> startId{this, #if __linux__ @@ -389,7 +390,10 @@ public: 56930, #endif "start-id", - "The first UID and GID to use for dynamic ID allocation."}; + "The first UID and GID to use for dynamic ID allocation.", + {}, + true, + Xp::AutoAllocateUids}; Setting<uint32_t> uidCount{this, #if __linux__ @@ -398,7 +402,10 @@ public: 128, #endif "id-count", - "The number of UIDs/GIDs to use for dynamic ID allocation."}; + "The number of UIDs/GIDs to use for dynamic ID allocation.", + {}, + true, + Xp::AutoAllocateUids}; #if __linux__ Setting<bool> useCgroups{ @@ -409,12 +416,13 @@ public: Cgroups are required and enabled automatically for derivations that require the `uid-range` system feature. - )"}; - #endif + )", + {}, true, Xp::Cgroups}; Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26", "Whether to impersonate a Linux 2.6 machine on newer kernels.", {"build-impersonate-linux-26"}}; + #endif Setting<bool> keepLog{ this, true, "keep-build-log", @@ -567,6 +575,7 @@ public: Setting<bool> sandboxFallback{this, true, "sandbox-fallback", "Whether to disable sandboxing when the kernel doesn't allow it."}; +#if __linux__ Setting<bool> requireDropSupplementaryGroups{this, getuid() == 0, "require-drop-supplementary-groups", R"( Following the principle of least privilege, @@ -585,7 +594,6 @@ public: and `false` otherwise. )"}; -#if __linux__ Setting<std::string> sandboxShmSize{ this, "50%", "sandbox-dev-shm-size", R"( diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc index a9f9818be..ff3722085 100644 --- a/src/libstore/remote-store.cc +++ b/src/libstore/remote-store.cc @@ -139,6 +139,7 @@ void RemoteStore::setOptions(Connection & conn) overrides.erase(loggerSettings.showTrace.name); overrides.erase(experimentalFeatureSettings.experimentalFeatures.name); overrides.erase(settings.pluginFiles.name); + overrides.erase(settings.storeUri.name); // the daemon *is* the store conn.to << overrides.size(); for (auto & i : overrides) conn.to << i.first << i.second.value; |