| Age | Commit message (Collapse) | Author |
|---|
|
|
|
* Documentation: builtins.fetchGit when used on a local path
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
|
|
|
|
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
|
|
docs: Fix small formatting errors
|
|
Fix auto-uid-allocation in Docker containers
|
|
Use a pipe for all install commands
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
|
|
PR template: Ask release notes for incompatible changes, not bug fixes
|
|
This is a workaround for
[mdBook#2000](https://github.com/rust-lang/mdBook/issues/2000)
|
|
|
|
|
|
|
|
|
|
|
|
In unprivileged podman containers, /proc is not fully visible (there
are other filesystems mounted on subdirectories of /proc). Therefore
we can't mount a new /proc in the sandbox that matches the PID
namespace of the sandbox. So this commit automatically disables
sandboxing if /proc is not fully visible.
|
|
This didn't work because sandboxing doesn't work in Docker. However,
the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails,
we retry with sandboxing disabled. But at that point, we've already
done UID allocation under the assumption that user namespaces are
enabled.
So let's get rid of the "goto fallback" logic and just detect early
whether user / mount namespaces are enabled.
This commit also gets rid of a compatibility hack for some ancient
Linux kernels (<2.13).
|
|
|
|
fix documentation for `clang11Stdenv` dev shell
|
|
|
|
NixOS/dependabot/github_actions/cachix/install-nix-action-19
Bump cachix/install-nix-action from 18 to 19
|
|
Backport PR title: Bot-based -> Automatic
|
|
add "instantiate" to glossary
|
|
|
|
|
|
In hope to reduce friction in contributor-facing communication, use a more common word. "bot" needless jargon for "something the machine does itself".
|
|
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from 18 to 19.
- [Release notes](https://github.com/cachix/install-nix-action/releases)
- [Commits](https://github.com/cachix/install-nix-action/compare/v18...v19)
---
updated-dependencies:
- dependency-name: cachix/install-nix-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
`clang11StdenvPackages` does not exist
```
│ └───x86_64-linux
│ ├───ccacheStdenv: development environment 'nix'
│ ├───clang11Stdenv: development environment 'nix'
│ ├───clangStdenv: development environment 'nix'
│ ├───default: development environment 'nix'
│ ├───gccStdenv: development environment 'nix'
│ ├───libcxxStdenv: development environment 'nix'
│ └───stdenv: development environment 'nix'
```
|
|
perl: run `initLibStore()` on `openStore()`
|
|
Move `trustedUsers` and `allowedUsers` to separate config struct
|
|
Get rid of the `authHook` parameter on `processConnection`
|
|
These settings are not needed for libstore at all, they are just used by
the nix daemon *command* for authorization on unix domain sockets. My
moving them to a new configuration struct just in that file, we avoid
them leaking anywhere else.
Also, it is good to break up the mammoth `Settings` struct in general.
Issue #5638 tracks this.
The message is not changed because I do not want to regress in
convenience to the user. Just saying "this connection is not trusted"
doesn't tell them out to fix the issue. The ideal thing to do would be
to somehow parameterize `processCommand` on how the error should be
displayed, so different sorts of connections can display different
information to the user based on how authentication is performed for the
connection in question. This, however, is a good bit more work, so it is
left for the future.
This came up with me thinking about the tcp:// store (#5265). The larger
project is not TCP *per se*, but the idea that it should be possible for
something else to manage access control to services like the Nix Daemon,
and those services simply trust or trust the incoming connection as they
are told. This is a more capability-oriented way of thinking about trust
than "every server implements its own auth separately" as we are used to today.
Its very great that libstore itself already implements just this model,
and so via this refactor I basically want to "enshrine" that so it
continues to be the case.
|
|
This is (morally) dead code.
As @edolstra pointed out in
https://github.com/NixOS/nix/pull/5226#discussion_r1073470813, this is
no longer needed.
I created this in 8d4162ff9e940ea9e2f97b07f3030a722695901a, so it is
fitting that I now destroy it :).
|
|
Expand installation.md
|
|
Since #7478 it's mandatory that `initLibStore()` is called for store
operations. However that's not the case when running `openStore()` in
Perl using the perl-bindings. That breaks e.g. `hydra-eval-jobset` when
built against Nix 2.13 which uses small portions of the store API.
|
|
Don't send plugin-files to the daemon.
|
|
The setting itself was already ignored due to exception trying to set pluginFiles.
|
|
nix-shell: Colour the prompt red if the user is root
|
|
This is radically unsafe and the daemon has already loaded its plugins
anyway.
Fixes cachix/devenv#276
|
|
This matches the nixos prompt colours - green for standard user, red for
root
|
|
Fix C++20 compilation with clang
|
|
|
|
|
|
nix store ping: add --json flag
|
|
Separate `path.hh` from `content-address.hh`
|
|
Delete dead code
|
|
Fix configure.ac rapidcheck tests
|
|
Better error message for nix search when attr is not found
|
|
manual: Document that the store timestamp is now 1, not 0
|
|
nix flake show: Ignore empty attrsets
|
|
Proposal: Use C++20
|
