aboutsummaryrefslogtreecommitdiff
path: root/src/libstore
AgeCommit message (Collapse)Author
2022-08-22Merge pull request #6926 from rapenne-s/download_limitEelco Dolstra
add a nix.conf option to set a download speed limit
2022-08-22SpellingEelco Dolstra
2022-08-20Better documentation wordingSolène Rapenne
Co-authored-by: Anderson Torres <torres.anderson.85@protonmail.com>
2022-08-19add a nix.conf option to set a download speed limitSolene Rapenne
2022-08-19don't read outputs into memory for output rewritingpennae
RewritingSink can handle being fed input where a reference crosses a chunk boundary. we don't need to load the whole source into memory, and in fact *not* loading the whole source lets nix build FODs that do not fit into memory (eg fetchurl'ing data files larger than system memory).
2022-08-17Remove warnLargeDump()Eelco Dolstra
This message was unhelpful (#1184) and probably misleading since memory is O(1) in most cases now.
2022-08-10Merge pull request #6850 from NinjaTrappeur/nin/build-checkThéophane Hufschmitt
Fix Nix build --check flag
2022-08-03Only use `renameFile` where neededThéophane Hufschmitt
In most places the fallback to copying isn’t needed and can actually be bad, so we’d rather not transparently fallback
2022-08-03moveFile -> renameFileThéophane Hufschmitt
`move` tends to have this `mv` connotation of “I will copy it for you if needs be”
2022-08-03Create a wrapper around stdlib’s `rename`Théophane Hufschmitt
Directly takes some c++ strings, and gently throws an exception on error (rather than having to inline this logic everywhere)
2022-08-01derivation-goal.cc: remove bmCheck custom return branch on buildDoneFélix Baylac-Jacqué
Once a derivation goal has been completed, we check whether or not this goal was meant to be repeated to check its output. An early return branch was preventing the worker to reach that repeat code branch, hence breaking the --check command (#2619). It seems like this early return branch is an artifact of a passed refactoring. As far as I can tell, buildDone's main branch also cleanup the tmp directory before returning.
2022-07-22Merge pull request #6814 from amjoseph-nixpkgs/pr/sandbox-error-messagesThéophane Hufschmitt
local-derivation-goal.cc: improve error messages when sandboxing fails
2022-07-19libstore/globals.cc: Move cgroup detection to libutilAlex Wied
2022-07-19libstore/globals.cc: Automatically set cores based on cgroup CPU limitAlex Wied
By default, Nix sets the "cores" setting to the number of CPUs which are physically present on the machine. If cgroups are used to limit the CPU and memory consumption of a large Nix build, the OOM killer may be invoked. For example, consider a GitLab CI pipeline which builds a large software package. The GitLab runner spawns a container whose CPU is limited to 4 cores and whose memory is limited to 16 GiB. If the underlying machine has 64 cores, Nix will invoke the build with -j64. In many cases, that level of parallelism will invoke the OOM killer and the build will completely fail. This change sets the default value of "cores" to be ceil(cpu_quota / cpu_period), with a fallback to std::thread::hardware_concurrency() if cgroups v2 is not detected.
2022-07-19local-derivation-goal.cc: save global errno to the stack before performing ↵Adam Joseph
tests which might clobber it
2022-07-19as requested by @thufschmitt ↵Adam Joseph
https://github.com/NixOS/nix/pull/6814#discussion_r924275777
2022-07-19change warn() to notice()Adam Joseph
2022-07-17local-derivation-goal.cc: detect unprivileged_userns_clone failure modeAdam Joseph
The workaround for "Some distros patch Linux" mentioned in local-derivation-goal.cc will not help in the `--option sandbox-fallback false` case. To provide the user more helpful guidance on how to get the sandbox working, let's check to see if the `/proc` node created by the aforementioned patch is present and configured in a way that will cause us problems. If so, give the user a suggestion for how to troubleshoot the problem.
2022-07-17local-derivation-goal.cc: add comment re: CLONE_NEWUSERAdam Joseph
local-derivation-goal.cc contains a comment stating that "Some distros patch Linux to not allow unprivileged user namespaces." Let's give a pointer to a common version of this patch for those who want more details about this failure mode.
2022-07-16local-derivation-goal.cc: warn if failing and /proc/self/ns/user missingAdam Joseph
This commit causes nix to `warn()` if sandbox setup has failed and `/proc/self/ns/user` does not exist. This is usually a sign that the kernel was compiled without `CONFIG_USER_NS=y`, which is required for sandboxing.
2022-07-16local-derivation-goal.cc: warn if failing due to max_user_namespaces==0Adam Joseph
This commit uses `warn()` to notify the user if sandbox setup fails with errno==EPERM and /proc/sys/user/max_user_namespaces is missing or zero, since that is at least part of the reason why sandbox setup failed. Note that `echo -n 0 > /proc/sys/user/max_user_namespaces` or equivalent at boot time has been the recommended mitigation for several Linux LPE vulnerabilities over the past few years. Many users have applied this mitigation and then forgotten that they have done so.
2022-07-16local-derivation-goal.cc: improve error messages when sandboxing failsAdam Joseph
The failure modes for nix's sandboxing setup are pretty complicated. When nix is unable to set up the sandbox, let's provide more detail about what went wrong. Specifically: * Make sure the error message includes the word "sandbox" so the user knows that the failure was related to sandboxing. * If `--option sandbox-fallback false` was provided, and removing it would have allowed further attempts to make progress, let the user know.
2022-07-15fix(libstore): allow Nix to access all Rosetta 2 paths on MacOSAlex Wied
Fixes: #5884
2022-07-15Disable auto-chroot if $NIX_STATE_DIR is setEelco Dolstra
Issue #6732.
2022-07-14Disable auto-chroot if $NIX_STORE_DIR is setEelco Dolstra
Fixes #6732.
2022-06-29Don't fail if we can't create ~/.local/share/nix/rootEelco Dolstra
https://hydra.nixos.org/build/182135943
2022-06-29Merge pull request #6706 from lheckemann/cache-info-cache-invalidationThéophane Hufschmitt
nar-info-disk-cache: refresh nix-cache-info weekly
2022-06-25Merge pull request #6714 from edolstra/auto-chroot-storeEelco Dolstra
Automatically use a chroot store if /nix doesn't exist
2022-06-24Only do the auto chroot store on LinuxEelco Dolstra
2022-06-23[fixup] handle cache expiration in sqlite queryLinus Heckemann
2022-06-23libstore/nar-info: drop unused system fieldCole Helbling
This was unused everywhere (and even the official NixOS binary cache did not produce .narinfo files containing a "System:" field).
2022-06-23Fix typoEelco Dolstra
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2022-06-23Automatically use a chroot store if /nix doesn't existEelco Dolstra
Specifically, if we're not root and the daemon socket does not exist, then we use ~/.local/share/nix/root as a chroot store. This enables non-root users to download nix-static and have it work out of the box, e.g. ubuntu@ip-10-13-1-146:~$ ~/nix run nixpkgs#hello warning: '/nix' does not exists, so Nix will use '/home/ubuntu/.local/share/nix/root' as a chroot store Hello, world!
2022-06-23Merge pull request #6710 from edolstra/embedded-sandbox-shellEelco Dolstra
Embed the sandbox shell into the statically linked 'nix' binary
2022-06-23Fix typoEelco Dolstra
2022-06-23Merge pull request #6673 from asymmetric/warnThéophane Hufschmitt
libstore: improve warning message on missing sig
2022-06-23Embed the sandbox shell into the statically linked 'nix' binaryEelco Dolstra
With this, Nix will write a copy of the sandbox shell to /bin/sh in the sandbox rather than bind-mounting it from the host filesystem. This makes /bin/sh work out of the box with nix-static, i.e. you no longer get /nix/store/qa36xhc5gpf42l3z1a8m1lysi40l9p7s-bootstrap-stage4-stdenv-linux/setup: ./configure: /bin/sh: bad interpreter: No such file or directory
2022-06-23Remove NIX_LIBEXEC_DIREelco Dolstra
2022-06-23Fix build-remote in nix-staticEelco Dolstra
'build-remote' is now executed via /proc/self/exe so it always works.
2022-06-22nar-info-disk-cache: refresh nix-cache-info weeklyLinus Heckemann
This allows changes to nix-cache-info to be picked up by existing clients. Previously, the only way for this to happen would be for clients to delete binary-cache-v6.sqlite, which is quite awkward for users. On the other hand, updates to nix-cache-info should be pretty rare, hence the choice of a fairly long TTL. Configurability is probably not useful enough to warrant implementing it.
2022-06-15libstore: improve warning message on missing sigLorenzo Manacorda
Clarifies that the substitute will be ignored/skipped.
2022-06-13Merge pull request #6619 from Jonpez2/patch-1Eelco Dolstra
Add security.csm to ignored-acls
2022-06-13Merge pull request #6634 from lovesegfault/fix-getgrouplistEelco Dolstra
fix(libstore/lock): support users that belong to more than 10 groups
2022-06-10Add missing rethrows in conditional exception handlersAnders Kaseorg
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2022-06-08fix(libstore/lock): support users that belong to more than 10 groupsBernardo Meurer
The manpage for `getgrouplist` says: > If the number of groups of which user is a member is less than or > equal to *ngroups, then the value *ngroups is returned. > > If the user is a member of more than *ngroups groups, then > getgrouplist() returns -1. In this case, the value returned in > *ngroups can be used to resize the buffer passed to a further > call getgrouplist(). In our original code, however, we allocated a list of size `10` and, if `getgrouplist` returned `-1` threw an exception. In practice, this caused the code to fail for any user belonging to more than 10 groups. While unusual for single-user systems, large companies commonly have a huge number of POSIX groups users belong to, causing this issue to crop up and make multi-user Nix unusable in such settings. The fix is relatively simple, when `getgrouplist` fails, it stores the real number of GIDs in `ngroups`, so we must resize our list and retry. Only then, if it errors once more, we can raise an exception. This should be backported to, at least, 2.9.x.
2022-06-08Add security.csm to the default ignore listJonpez2
2022-06-03Merge pull request #6600 from asymmetric/hash-commentEelco Dolstra
schema.sql: add comment about hash being in base16
2022-06-01Merge branch 'master' into ltoThéophane Hufschmitt
2022-06-01schema.sql: add comment about hash being in base16Lorenzo Manacorda
2022-05-30RemoteStore::queryRealisationUncached(): Fix potential noexcept violationEelco Dolstra