aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
diff options
context:
space:
mode:
authoralois31 <alois1@gmx-topmail.de>2024-10-23 15:20:51 +0000
committerGerrit Code Review <gerrit@localhost>2024-10-23 15:20:51 +0000
commit2734a9cf94debc6baef4e7d4d9fa28cc28f5b31d (patch)
treeba6be97cc5ac268941b1c8ac10507786a720357c /src/libstore
parent5f1344dd8aec59ce654a0fac30b1842e2e68299c (diff)
parent689eb45630a183f0fbbd8864cb7a3c7cb1704451 (diff)
Merge changes I29e66ad8,I77ea62cd,I7cd58d92 into mainHEADmain
* changes: treewide: make more settings conditionally available libstore/build: only send overridden settings to the build hook treewide: consistently mark overridden settings as such
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/build/hook-instance.cc2
-rw-r--r--src/libstore/builtins/fetchurl.cc4
-rw-r--r--src/libstore/daemon.cc19
-rw-r--r--src/libstore/globals.cc18
-rw-r--r--src/libstore/globals.hh20
-rw-r--r--src/libstore/remote-store.cc1
6 files changed, 37 insertions, 27 deletions
diff --git a/src/libstore/build/hook-instance.cc b/src/libstore/build/hook-instance.cc
index 521f34917..9f76eca4d 100644
--- a/src/libstore/build/hook-instance.cc
+++ b/src/libstore/build/hook-instance.cc
@@ -74,7 +74,7 @@ HookInstance::HookInstance()
sink = FdSink(toHook.get());
std::map<std::string, Config::SettingInfo> settings;
- globalConfig.getSettings(settings);
+ globalConfig.getSettings(settings, true);
for (auto & setting : settings)
sink << 1 << setting.first << setting.second.value;
sink << 0;
diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc
index b28eb01d0..69a9f993f 100644
--- a/src/libstore/builtins/fetchurl.cc
+++ b/src/libstore/builtins/fetchurl.cc
@@ -13,11 +13,11 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData,
this to be stored in a file. It would be nice if we could just
pass a pointer to the data. */
if (netrcData != "") {
- settings.netrcFile = "netrc";
+ settings.netrcFile.override("netrc");
writeFile(settings.netrcFile, netrcData, 0600);
}
- settings.caFile = "ca-certificates.crt";
+ settings.caFile.override("ca-certificates.crt");
writeFile(settings.caFile, caFileData, 0600);
auto getAttr = [&](const std::string & name) {
diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index a9239197b..93b405c01 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -195,15 +195,15 @@ struct ClientSettings
void apply(TrustedFlag trusted)
{
- settings.keepFailed = keepFailed;
- settings.keepGoing = keepGoing;
- settings.tryFallback = tryFallback;
+ settings.keepFailed.override(keepFailed);
+ settings.keepGoing.override(keepGoing);
+ settings.tryFallback.override(tryFallback);
nix::verbosity = verbosity;
- settings.maxBuildJobs.assign(maxBuildJobs);
- settings.maxSilentTime = maxSilentTime;
+ settings.maxBuildJobs.override(maxBuildJobs);
+ settings.maxSilentTime.override(maxSilentTime);
settings.verboseBuild = verboseBuild;
- settings.buildCores = buildCores;
- settings.useSubstitutes = useSubstitutes;
+ settings.buildCores.override(buildCores);
+ settings.useSubstitutes.override(useSubstitutes);
for (auto & i : overrides) {
auto & name(i.first);
@@ -225,12 +225,13 @@ struct ClientSettings
else
warn("ignoring untrusted substituter '%s', you are not a trusted user.\n"
"Run `man nix.conf` for more information on the `substituters` configuration option.", s);
- res = subs;
+ res.override(subs);
return true;
};
try {
- if (name == "ssh-auth-sock") // obsolete
+ if (name == "ssh-auth-sock" // obsolete
+ || name == "store") // the daemon *is* the store
;
else if (name == experimentalFeatureSettings.experimentalFeatures.name) {
// We don’t want to forward the experimental features to
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index f43b759d2..9377ac936 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -69,12 +69,12 @@ Settings::Settings()
, nixManDir(canonPath(NIX_MAN_DIR))
, nixDaemonSocketFile(canonPath(getEnvNonEmpty("NIX_DAEMON_SOCKET_PATH").value_or(nixStateDir + DEFAULT_SOCKET_PATH)))
{
- buildUsersGroup = getuid() == 0 ? "nixbld" : "";
- allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
+ buildUsersGroup.setDefault(getuid() == 0 ? "nixbld" : "");
+ allowSymlinkedStore.setDefault(getEnv("NIX_IGNORE_SYMLINK_STORE") == "1");
auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
if (sslOverride != "")
- caFile = sslOverride;
+ caFile.setDefault(sslOverride);
/* Backwards compatibility. */
auto s = getEnv("NIX_REMOTE_SYSTEMS");
@@ -82,17 +82,17 @@ Settings::Settings()
Strings ss;
for (auto & p : tokenizeString<Strings>(*s, ":"))
ss.push_back("@" + p);
- builders = concatStringsSep(" ", ss);
+ builders.setDefault(concatStringsSep(" ", ss));
}
#if defined(__linux__) && defined(SANDBOX_SHELL)
- sandboxPaths = tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL);
+ sandboxPaths.setDefault(tokenizeString<StringSet>("/bin/sh=" SANDBOX_SHELL));
#endif
/* chroot-like behavior from Apple's sandbox */
#if __APPLE__
- sandboxPaths = tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib");
- allowedImpureHostPrefixes = tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh");
+ sandboxPaths.setDefault(tokenizeString<StringSet>("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib"));
+ allowedImpureHostPrefixes.setDefault(tokenizeString<StringSet>("/System/Library /usr/lib /dev /bin/sh"));
#endif
/* Set the build hook location
@@ -118,10 +118,10 @@ Settings::Settings()
if (!pathExists(nixExePath)) {
nixExePath = getSelfExe().value_or("nix");
}
- buildHook = {
+ buildHook.setDefault(Strings {
nixExePath,
"__build-remote",
- };
+ });
}
void loadConfFile()
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index bfba6ab01..dfb90cbe6 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -380,7 +380,8 @@ public:
users in `build-users-group`.
UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.
- )"};
+ )",
+ {}, true, Xp::AutoAllocateUids};
Setting<uint32_t> startId{this,
#if __linux__
@@ -389,7 +390,10 @@ public:
56930,
#endif
"start-id",
- "The first UID and GID to use for dynamic ID allocation."};
+ "The first UID and GID to use for dynamic ID allocation.",
+ {},
+ true,
+ Xp::AutoAllocateUids};
Setting<uint32_t> uidCount{this,
#if __linux__
@@ -398,7 +402,10 @@ public:
128,
#endif
"id-count",
- "The number of UIDs/GIDs to use for dynamic ID allocation."};
+ "The number of UIDs/GIDs to use for dynamic ID allocation.",
+ {},
+ true,
+ Xp::AutoAllocateUids};
#if __linux__
Setting<bool> useCgroups{
@@ -409,12 +416,13 @@ public:
Cgroups are required and enabled automatically for derivations
that require the `uid-range` system feature.
- )"};
- #endif
+ )",
+ {}, true, Xp::Cgroups};
Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26",
"Whether to impersonate a Linux 2.6 machine on newer kernels.",
{"build-impersonate-linux-26"}};
+ #endif
Setting<bool> keepLog{
this, true, "keep-build-log",
@@ -567,6 +575,7 @@ public:
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
"Whether to disable sandboxing when the kernel doesn't allow it."};
+#if __linux__
Setting<bool> requireDropSupplementaryGroups{this, getuid() == 0, "require-drop-supplementary-groups",
R"(
Following the principle of least privilege,
@@ -585,7 +594,6 @@ public:
and `false` otherwise.
)"};
-#if __linux__
Setting<std::string> sandboxShmSize{
this, "50%", "sandbox-dev-shm-size",
R"(
diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc
index a9f9818be..ff3722085 100644
--- a/src/libstore/remote-store.cc
+++ b/src/libstore/remote-store.cc
@@ -139,6 +139,7 @@ void RemoteStore::setOptions(Connection & conn)
overrides.erase(loggerSettings.showTrace.name);
overrides.erase(experimentalFeatureSettings.experimentalFeatures.name);
overrides.erase(settings.pluginFiles.name);
+ overrides.erase(settings.storeUri.name); // the daemon *is* the store
conn.to << overrides.size();
for (auto & i : overrides)
conn.to << i.first << i.second.value;