Age | Commit message (Collapse) | Author |
|
By default, Nix sets the "cores" setting to the number of CPUs which are
physically present on the machine. If cgroups are used to limit the CPU
and memory consumption of a large Nix build, the OOM killer may be
invoked.
For example, consider a GitLab CI pipeline which builds a large software
package. The GitLab runner spawns a container whose CPU is limited to 4
cores and whose memory is limited to 16 GiB. If the underlying machine
has 64 cores, Nix will invoke the build with -j64. In many cases, that
level of parallelism will invoke the OOM killer and the build will
completely fail.
This change sets the default value of "cores" to be
ceil(cpu_quota / cpu_period), with a fallback to
std::thread::hardware_concurrency() if cgroups v2 is not detected.
|
|
tests which might clobber it
|
|
|
|
https://github.com/NixOS/nix/pull/6814#discussion_r924275777
|
|
|
|
Add some tests for the CLI completion
|
|
fix(libstore): allow Nix to access all Rosetta 2 paths on MacOS
|
|
The workaround for "Some distros patch Linux" mentioned in
local-derivation-goal.cc will not help in the `--option
sandbox-fallback false` case. To provide the user more helpful
guidance on how to get the sandbox working, let's check to see if the
`/proc` node created by the aforementioned patch is present and
configured in a way that will cause us problems. If so, give the user
a suggestion for how to troubleshoot the problem.
|
|
local-derivation-goal.cc contains a comment stating that "Some distros
patch Linux to not allow unprivileged user namespaces." Let's give a
pointer to a common version of this patch for those who want more
details about this failure mode.
|
|
This commit causes nix to `warn()` if sandbox setup has failed and
`/proc/self/ns/user` does not exist. This is usually a sign that the
kernel was compiled without `CONFIG_USER_NS=y`, which is required for
sandboxing.
|
|
This commit uses `warn()` to notify the user if sandbox setup fails
with errno==EPERM and /proc/sys/user/max_user_namespaces is missing or
zero, since that is at least part of the reason why sandbox setup
failed.
Note that `echo -n 0 > /proc/sys/user/max_user_namespaces` or
equivalent at boot time has been the recommended mitigation for
several Linux LPE vulnerabilities over the past few years. Many users
have applied this mitigation and then forgotten that they have done
so.
|
|
The failure modes for nix's sandboxing setup are pretty complicated.
When nix is unable to set up the sandbox, let's provide more detail
about what went wrong. Specifically:
* Make sure the error message includes the word "sandbox" so the user
knows that the failure was related to sandboxing.
* If `--option sandbox-fallback false` was provided, and removing it
would have allowed further attempts to make progress, let the user
know.
|
|
Fixes: #5884
|
|
nix develop: do not assume that saved vars are set
|
|
Disable auto-chroot if $NIX_STATE_DIR is set
|
|
Issue #6732.
|
|
This fixes https://github.com/NixOS/nix/issues/6809
|
|
curl: patch for netrc regression in Nix
|
|
|
|
Disable auto-chroot if $NIX_STORE_DIR is set
|
|
Fixes #6732.
|
|
On test failures, print a bash stack trace
|
|
This makes it easier to identify what command failed. It looks like:
follow-paths.sh: test failed at:
main in follow-paths.sh:54
|
|
Split flakes tests
|
|
|
|
|
|
|
|
Note: these were previously not actually called.
|
|
|
|
|
|
|
|
|
|
|
|
Simplify the check for overrides on non-existent inputs
|
|
Cherry-picked from the lazy-trees branch, where we no longer write a
lock file if any of the inputs is dirty.
|
|
|
|
Fix typo in flake.cc
|
|
- Test another command than `build`
- Test with two input flakes
|
|
`--override-input` id snarky because it takes two arguments, so it
doesn't play well when completed in the middle of the CLI (since the
argument just after gets interpreted as its second argument). So use
`--update-input` instead
|
|
non-existant -> non-existent
|
|
Fix --no-daemon installation
|
|
flakes: throw an error if `follows`-declaration for an input is invalid
|
|
It was accidentally triggering the auto-chroot code path because
/nix/var/nix didn't exist.
Fixes #6790.
|
|
|
|
|
|
|
|
update stale bot per RFC 0124
|
|
I recently got fairly confused why the following expression didn't have
any effect
{
description = "Foobar";
inputs.sops-nix = {
url = github:mic92/sops-nix;
inputs.nixpkgs_22_05.follows = "nixpkgs";
};
}
until I found out that the input was called `nixpkgs-22_05` (please note
the dash vs. underscore).
IMHO it's not a good idea to not throw an error in that case and
probably leave end-users rather confused, so I implemented a small check
for that which basically checks whether `follows`-declaration from
overrides actually have corresponding inputs in the transitive flake.
In fact this was done by accident already in our own test-suite where
the removal of a `follows` was apparently forgotten[1].
Since the key of the `std::map` that holds the `overrides` is a vector
and we have to find the last element of each vector (i.e. the override)
this has to be done with a for loop in O(n) complexity with `n` being
the total amount of overrides (which shouldn't be that large though).
Please note that this doesn't work with nested expressions, i.e.
inputs.fenix.inputs.nixpkgs.follows = "...";
which is a known problem[2].
For the expression demonstrated above, an error like this will be
thrown:
error: sops-nix has a `follows'-declaration for a non-existant input nixpkgs_22_05!
[1] 2664a216e57169ec57d7f51be1b8383c1be83fd5
[2] https://github.com/NixOS/nix/issues/5790
|
|
Also add a disabled test for when the `--override-input` flag comes
*before* the flake ref
|
|
- Don't use `printf` for the expected result, but just use bash's `$' '`
litteral strings
- Quote the `nix` call result
- Invert the order in the comparisons (just because it feels more
natural)
|