aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
AgeCommit message (Collapse)Author
2023-03-03Merge pull request #7918 from zimbatm/fix-empty-nix-store-envEelco Dolstra
treat empty NIX_STORE_DIR env vars as unset
2023-03-03Merge pull request #7942 from edolstra/remove-formatEelco Dolstra
Remove FormatOrString and remaining uses of format()
2023-03-02Remove FormatOrString and remaining uses of format()Eelco Dolstra
2023-03-02Log the decompressed body in case of http errorsThéophane Hufschmitt
Don't show the users the raw (possibly compressed) error message as everyone isn't able to decompress brotli in their brain.
2023-03-02Merge pull request #7924 from mkenigs/validEelco Dolstra
Always set valid in path-info --json output
2023-03-01Treat empty env var paths as unsetFélix Baylac Jacqué
We make sure the env var paths are actually set (ie. not "") before sending them to the canonicalization function. If we forget to do so, the user will end up facing a puzzled failed assertion internal error. We issue a non-failing warning as a stop-gap measure. We could want to revisit this to issue a detailed failing error message in the future.
2023-03-01Remove dead code `RemoteStore::sameMachine`John Ericson
It has been dead code since 9747ea84b43c75f719d719673b9d0a7cb50d34e5.
2023-03-01Merge pull request #7788 from ↵Valentin Gagarin
bobvanderlinden/pr-improve-nix-profile-install-error Improve error on conflict for nix profile install
2023-02-28Always set valid in path-info --json outputMatthew Kenigsberg
Currently the valid key is only present when the path is invalid, which makes checking path validity more complex than it should be. With this change, the valid key can always be used to check if a path is valid
2023-02-28Merge pull request #7793 from layus/interrupt_downloadsEelco Dolstra
Check interrupts even when download stalled
2023-02-27buildenv: throw BuildEnvFileConflictError with more contextBob van der Linden
At the moment an Error is thrown that only holds an error message regarding `nix-env` and `nix profile`. These tools make use of builtins.buildEnv, but buildEnv is also used in other places. These places are unrelated to Nix profiles, so the error shouldn't mention these tools. This generic error is now BuildEnvFileConflictError, which holds more contextual information about the files that were conflicting while building the environment.
2023-02-27add information on the `build-hook` settingValentin Gagarin
add a warning that you probably never want to change this.
2023-02-21Merge pull request #7856 from yorickvP/fix-nsswitchThéophane Hufschmitt
Wait with making /etc unwritable until after build env setup
2023-02-20`Derivation::toJSON`: fix bug!John Ericson
When I moved this code from the binary to libnixstore #7863, I forgot to display the environment variables!
2023-02-19Test `toJSON` of `DerivationOutput` and `Derivation`John Ericson
2023-02-19Move `Derivation` toJSON logic to libnixstoreJohn Ericson
2023-02-17Wait with making /etc unwritable until after build env setupYorick van Pelt
This fixes /etc/nsswitch.conf
2023-02-14Make /etc writability conditional on uid-range featureYorick van Pelt
2023-02-14Don't allow writing to /etcYorick van Pelt
2023-02-13Merge pull request #7616 from hercules-ci/fix-3898Eelco Dolstra
Fix foreign key error inserting into NARs #3898
2023-02-10Merge pull request #7805 from edolstra/c++2aEelco Dolstra
Fix building with GCC 9
2023-02-10Merge pull request #7802 from edolstra/fix-7783Eelco Dolstra
Fix PID namespace support check
2023-02-10Fix building with GCC 9Eelco Dolstra
Nixpkgs on aarch64-linux is currently stuck on GCC 9 (https://github.com/NixOS/nixpkgs/issues/208412) and using gcc11Stdenv doesn't work either. So use c++2a instead of c++20 for now. Unfortunately this means we can't use some C++20 features for now (like std::span).
2023-02-10Merge pull request #5588 from tweag/balsoft/xdgThéophane Hufschmitt
Follow XDG Base Directory standard
2023-02-10A setting to follow XDG Base Directory standardAlexander Bantyev
XDG Base Directory is a standard for locations for storing various files. Nix has a few files which seem to fit in the standard, but currently use a custom location directly in the user's ~, polluting it: - ~/.nix-profile - ~/.nix-defexpr - ~/.nix-channels This commit adds a config option (use-xdg-base-directories) to follow the XDG spec and instead use the following locations: - $XDG_STATE_HOME/nix/profile - $XDG_STATE_HOME/nix/defexpr - $XDG_STATE_HOME/nix/channels If $XDG_STATE_HOME is not set, it is assumed to be ~/.local/state. Co-authored-by: Théophane Hufschmitt <7226587+thufschmitt@users.noreply.github.com> Co-authored-by: Tim Fenney <kodekata@gmail.com> Co-authored-by: pasqui23 <pasqui23@users.noreply.github.com> Co-authored-by: Artturin <Artturin@artturin.com> Co-authored-by: John Ericson <Ericson2314@Yahoo.com>
2023-02-10LocalDerivationGoal::startBuilder(): Use startProcess() to cloneEelco Dolstra
2023-02-10Simplify the PID namespace check: just try to mount /procEelco Dolstra
Fixes #7783.
2023-02-10nit: cleaner diffGuillaume Maudoux
2023-02-10Flush data when download endsGuillaume Maudoux
2023-02-09Merge pull request #7712 from Mic92/advertise-compressionsEelco Dolstra
advertise transport encoding in http transfers to
2023-02-09Check interupts even when download stalledGuillaume Maudoux
2023-02-07NarInfoDiskCache: Also test id consistency with updated fieldsRobert Hensing
And clarify test
2023-02-07NarInfoDiskCache: Keep BinaryCache.id stable and improve testRobert Hensing
Fixes #3898 The entire `BinaryCaches` row used to get replaced after it became stale according to the `timestamp` column. In a concurrent scenario, this leads to foreign key conflicts as different instances of the in-process `state.caches` cache now differ, with the consequence that the older process still tries to use the `id` number of the old record. Furthermore, this phenomenon appears to have caused the cache for actual narinfos to be erased about every week, while the default ttl for narinfos was supposed to be 30 days.
2023-02-07NarInfoDiskCache: Prepare reproducer for #3898Robert Hensing
2023-02-07NarInfoDiskCacheImpl: Make dbPath a parameterRobert Hensing
This allows testing with a clean database.
2023-02-07NarInfoDiskCache: Rename cacheExists -> upToDateCacheExistsRobert Hensing
This is slightly more accurate considering that an outdated record may exist in the persistent cache. Possibly-outdated records are quite relevant as they may be foreign keys to more recent information that we want to keep, but we will not return them here.
2023-02-07sqlite.cc: Add SQL tracingRobert Hensing
Set environment variable NIX_DEBUG_SQLITE_TRACES=1 to log all sql statements.
2023-02-07Mention --no-sandbox if sandboxing is unsupportedEelco Dolstra
2023-02-07Check whether we can use PID namespacesEelco Dolstra
In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible.
2023-02-07Fix auto-uid-allocation in Docker containersEelco Dolstra
This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13).
2023-02-03advertise transport encoding in http transfers toJörg Thalheim
tl;dr: With this 1 line change I was able to get a speedup of 1.5x on 1Gbit/s wan connections by enabling zstd compression in nginx. Also nix already supported all common compression format for http transfer, webservers usually only enable them if they are advertised through the Accept-Encoding header. This pull requests makes nix advertises content compression support for zstd, br, gzip and deflate. It's particular useful to add transparent compression for binary caches that serve packages from the host nix store in particular nix-serve, nix-serve-ng and harmonia. I tried so far gzip, brotli and zstd, whereas only zstd was able to bring me performance improvements for 1Gbit/s WAN connections. The following nginx configuration was used in combination with the [zstd module](https://github.com/tokers/zstd-nginx-module) and [harmonia](https://github.com/nix-community/harmonia/) ```nix { services.nginx.virtualHosts."cache.yourhost.com" = { locations."/".extraConfig = '' proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; zstd on; zstd_types application/x-nix-archive; ''; }; } ``` For testing I unpacked a linux kernel tarball to the nix store using this command `nix-prefetch-url --unpack https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.1.8.tar.gz`. Before: ```console $ nix build && rm -rf /tmp/hello && time ./result/bin/nix copy --no-check-sigs --from https://cache.thalheim.io --to 'file:///tmp/hello?compression=none' '/nix/store/j42mahch5f0jvfmayhzwbb88sw36fvah-linux-6.1.8.tar.gz' warning: Git tree '/scratch/joerg/nix' is dirty real 0m18,375s user 0m2,889s sys 0m1,558s ``` After: ```console $ nix build && rm -rf /tmp/hello && time ./result/bin/nix copy --no-check-sigs --from https://cache.thalheim.io --to 'file:///tmp/hello?compression=none' '/nix/store/j42mahch5f0jvfmayhzwb b88sw36fvah-linux-6.1.8.tar.gz' real 0m11,884s user 0m4,130s sys 0m1,439s ``` Signed-off-by: Jörg Thalheim <joerg@thalheim.io> Update src/libstore/filetransfer.cc Co-authored-by: Théophane Hufschmitt <7226587+thufschmitt@users.noreply.github.com>
2023-02-03Merge pull request #7739 from obsidiansystems/user-settingsEelco Dolstra
Move `trustedUsers` and `allowedUsers` to separate config struct
2023-02-02Move `trustedUsers` and `allowedUsers` to separate config structJohn Ericson
These settings are not needed for libstore at all, they are just used by the nix daemon *command* for authorization on unix domain sockets. My moving them to a new configuration struct just in that file, we avoid them leaking anywhere else. Also, it is good to break up the mammoth `Settings` struct in general. Issue #5638 tracks this. The message is not changed because I do not want to regress in convenience to the user. Just saying "this connection is not trusted" doesn't tell them out to fix the issue. The ideal thing to do would be to somehow parameterize `processCommand` on how the error should be displayed, so different sorts of connections can display different information to the user based on how authentication is performed for the connection in question. This, however, is a good bit more work, so it is left for the future. This came up with me thinking about the tcp:// store (#5265). The larger project is not TCP *per se*, but the idea that it should be possible for something else to manage access control to services like the Nix Daemon, and those services simply trust or trust the incoming connection as they are told. This is a more capability-oriented way of thinking about trust than "every server implements its own auth separately" as we are used to today. Its very great that libstore itself already implements just this model, and so via this refactor I basically want to "enshrine" that so it continues to be the case.
2023-02-02Get rid of the `authHook` parameter on `processConnection`John Ericson
This is (morally) dead code. As @edolstra pointed out in https://github.com/NixOS/nix/pull/5226#discussion_r1073470813, this is no longer needed. I created this in 8d4162ff9e940ea9e2f97b07f3030a722695901a, so it is fitting that I now destroy it :).
2023-02-02daemon: Warn on old clients passing unexpected plugin-files.Shea Levy
The setting itself was already ignored due to exception trying to set pluginFiles.
2023-02-01Don't send plugin-files to the daemon.Shea Levy
This is radically unsafe and the daemon has already loaded its plugins anyway. Fixes cachix/devenv#276
2023-02-01Remove an unused captureEelco Dolstra
2023-02-01Merge pull request #7716 from obsidiansystems/small-storePath-cleanupsThéophane Hufschmitt
Separate `path.hh` from `content-address.hh`
2023-02-01Merge pull request #7717 from obsidiansystems/delete-dead-codeEelco Dolstra
Delete dead code
2023-02-01Merge pull request #7203 from graham33/feature/cpp20Eelco Dolstra
Proposal: Use C++20