aboutsummaryrefslogtreecommitdiff
path: root/src/nix-daemon/nix-daemon.cc
AgeCommit message (Collapse)Author
2020-06-15Remove trailing whitespaceEelco Dolstra
2020-05-13formatting and a few minor changesBen Burdette
2020-05-06todo removalBen Burdette
2020-05-04appending to hints; remove _printErrorBen Burdette
2020-05-03convert some printError calls to logErrorBen Burdette
2020-04-21remove 'format' from Error constructor callsBen Burdette
2020-03-30Remove global -I flagsEelco Dolstra
(cherry picked from commit 2c692a3b144523bca68dd6de618124ba6c9bb332)
2019-12-10Make the Store API more type-safeEelco Dolstra
Most functions now take a StorePath argument rather than a Path (which is just an alias for std::string). The StorePath constructor ensures that the path is syntactically correct (i.e. it looks like <store-dir>/<base32-hash>-<name>). Similarly, functions like buildPaths() now take a StorePathWithOutputs, rather than abusing Path by adding a '!<outputs>' suffix. Note that the StorePath type is implemented in Rust. This involves some hackery to allow Rust values to be used directly in C++, via a helper type whose destructor calls the Rust type's drop() function. The main issue is the dynamic nature of C++ move semantics: after we have moved a Rust value, we should not call the drop function on the original value. So when we move a value, we set the original value to bitwise zero, and the destructor only calls drop() if the value is not bitwise zero. This should be sufficient for most types. Also lots of minor cleanups to the C++ API to make it more modern (e.g. using std::optional and std::string_view in some places).
2019-12-02Merge remote-tracking branch 'origin/recursive-nix'Eelco Dolstra
2019-11-22getEnv(): Return std::optionalEelco Dolstra
This allows distinguishing between an empty value and no value.
2019-11-06CleanupEelco Dolstra
2019-11-06Recursive Nix supportEelco Dolstra
This allows Nix builders to call Nix to build derivations, with some limitations. Example: let nixpkgs = fetchTarball channel:nixos-18.03; in with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ nix jq ]; NIX_PATH = "nixpkgs=${nixpkgs}"; } '' hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })') $hello/bin/hello mkdir -p $out/bin ln -s $hello/bin/hello $out/bin/hello nix path-info -r --json $hello | jq . '' This derivation makes a recursive Nix call to build GNU Hello and symlinks it from its $out, i.e. # ll ./result/bin/ lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello # nix-store -qR ./result /nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131 /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5 /nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo This is implemented as follows: * Before running the outer builder, Nix creates a Unix domain socket '.nix-socket' in the builder's temporary directory and sets $NIX_REMOTE to point to it. It starts a thread to process connections to this socket. (Thus you don't need to have nix-daemon running.) * The daemon thread uses a wrapper store (RestrictedStore) to keep track of paths added through recursive Nix calls, to implement some restrictions (see below), and to do some censorship (e.g. for purity, queryPathInfo() won't return impure information such as signatures and timestamps). * After the build finishes, the output paths are scanned for references to the paths added through recursive Nix calls (in addition to the inputs closure). Thus, in the example above, $out has a reference to $hello. The main restriction on recursive Nix calls is that they cannot do arbitrary substitutions. For example, doing nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10 is forbidden unless /nix/store/kmwd... is in the inputs closure or previously built by a recursive Nix call. This is to prevent irreproducible derivations that have hidden dependencies on substituters or the current store contents. Building a derivation is fine, however, and Nix will use substitutes if available. In other words, the builder has to present proof that it knows how to build a desired store path from scratch by constructing a derivation graph for that path. Probably we should also disallow instantiating/building fixed-output derivations (specifically, those that access the network, but currently we have no way to mark fixed-output derivations that don't access the network). Otherwise sandboxed derivations can bypass sandbox restrictions and access the network. When sandboxing is enabled, we make paths appear in the sandbox of the builder by entering the mount namespace of the builder and bind-mounting each path. This is tricky because we do a pivot_root() in the builder to change the root directory of its mount namespace, and thus the host /nix/store is not visible in the mount namespace of the builder. To get around this, just before doing pivot_root(), we branch a second mount namespace that shares its /nix/store mountpoint with the parent. Recursive Nix currently doesn't work on macOS in sandboxed mode (because we can't change the sandbox policy of a running build) and in non-root mode (because setns() barfs).
2019-10-29Don't create a Store in processConnection()Eelco Dolstra
2019-10-29Move Unix domain socket creation to libutilEelco Dolstra
Also drop multithread-unfriendly hacks like doing a temporary chmod/umask.
2019-10-29Move most of the daemon implementation to libstoreEelco Dolstra
2019-10-09Remove world-writability from per-user directoriesEelco Dolstra
'nix-daemon' now creates subdirectories for users when they first connect. Fixes #509 (CVE-2019-17365). Should also fix #3127.
2019-06-16Style fixEelco Dolstra
2019-06-15Daemon: warn when an untrusted user cannot override a settingFélix Baylac-Jacqué
In a daemon-based Nix setup, some options cannot be overridden by a client unless the client's user is considered trusted. Currently, if an untrusted user tries to override one of those options, we are silently ignoring it. This can be pretty confusing in certain situations. e.g. a user thinks he disabled the sandbox when in reality he did not. We are now sending a warning message letting know the user some options have been ignored. Related to #1761.
2019-03-14findRoots(): Don't censor for trusted usersEelco Dolstra
They're pretty much root anyway.
2019-03-14findRoots(): Add 'censor' parameterEelco Dolstra
This is less brittle than filtering paths after the fact in nix-daemon.
2019-03-10Fix warning about unused variableGuillaume Maudoux
2019-03-10Also obfuscate the number of memory rootsGuillaume Maudoux
2019-03-10Make roots a map of store paths to pinning linksGuillaume Maudoux
This new structure makes more sense as there may be many sources rooting the same store path. Many profiles can reference the same path but this is even more true with /proc/<pid>/maps where distinct pids can and often do map the same store path. This implementation is also more efficient as the `Roots` map contains only one entry per rooted store path.
2019-03-10Obfuscate memory roots for non-root usersGuillaume Maudoux
2018-10-26Merge all nix-* binaries into nixEelco Dolstra
These are all symlinks to 'nix' now, reducing the installed size by about ~1.7 MiB.
2018-10-04Remove unnecessary typecastEelco Dolstra
2018-09-25nix-daemon: allow setting builders to "" by any user (untrusted)Will Dietz
(cherry picked from commit a94a2eb1cb1c81e90a7529be5fecac27899a3442)
2018-08-03Make adding paths via nix-store --serve run in constant memoryEelco Dolstra
It adds a new operation, cmdAddToStoreNar, that does the same thing as the corresponding nix-daemon operation, i.e. call addToStore(). This replaces cmdImportPaths, which has the major issue that it sends the NAR first and the store path second, thus requiring us to store the incoming NAR either in memory or on disk until we decide what to do with it. For example, this reduces the memory usage of $ nix copy --to 'ssh://localhost?remote-store=/tmp/nix' /nix/store/95cwv4q54dc6giaqv6q6p4r02ia2km35-blender-2.79 from 267 MiB to 12 MiB. Probably fixes #1988.
2018-07-03nix-daemon: Respect --storeEelco Dolstra
For example, this allows you to do run nix-daemon as a non-privileged user: eelco$ NIX_STATE_DIR=~/my-nix/nix/var nix-daemon --store ~/my-nix/ The NIX_STATE_DIR is still needed because settings.nixDaemonSocketFile is not derived from settings.storeUri (and we can't derive it from the store's state directory because we don't want to open the store in the parent process).
2018-05-30Move some Download-specific settings to download.ccEelco Dolstra
2018-05-30Make 'nix copy --to daemon' run in constant memory (daemon side)Eelco Dolstra
Continuation of 97002b684c902dadcd351a67208f9c2a88ff8f8f. This makes the daemon use constant memory. For example, it reduces the daemon's maximum RSS on $ nix copy --from ~/my-nix --to daemon /nix/store/1n7x0yv8vq6zi90hfmian84vdhd04bgp-blender-2.79a from 264 MiB to 7 MiB. We now use a TunnelSource to prevent the connection from ending up in an undefined state if an exception is thrown while the NAR is being sent. Issue https://github.com/NixOS/nix/issues/1681.
2018-05-26nix-daemon: remove unused "pendingMsgs" variableWill Dietz
2018-05-21serialise: fix buffer size used, hide method for internal use onlyWill Dietz
Fixes #2169.
2018-04-09nix-daemon: Exit successfully when interrupted.Shea Levy
Fixes #2058.
2018-03-22Merge branch 'fix/avoid-large-stack-buffers' of https://github.com/dtzWill/nixEelco Dolstra
2018-03-16Reduce substitution memory consumptionEelco Dolstra
copyStorePath() now pipes the output of srcStore->narFromPath() directly into dstStore->addToStore(). The sink used by the former is converted into a source usable by the latter using boost::coroutine2. This is based on [1]. This reduces the maximum resident size of $ nix build --store ~/my-nix/ /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1 --substituters file:///tmp/binary-cache-xz/ --no-require-sigs from 418592 KiB to 53416 KiB. (The previous commit also reduced the runtime from ~4.2s to ~3.4s, not sure why.) A further improvement will be to download files into a Sink. [1] https://github.com/NixOS/nix/compare/master...Mathnerd314:dump-fix-coroutine#diff-dcbcac55a634031f9cc73707da6e4b18 Issue #1969.
2018-03-14nix-daemon: preserve errno in signal handler (thanks tsan)Will Dietz
2018-03-02don't allocate large buffers on the stackWill Dietz
2018-02-08Add plugins to make Nix more extensible.Shea Levy
All plugins in plugin-files will be dlopened, allowing them to statically construct instances of the various Register* types Nix supports.
2018-02-07More completely fix recursive nix, unbreak testsWill Dietz
See: https://github.com/NixOS/nix/commit/88b5d0c8e89afefbc547b6243c5aa5a3ec8176e9#commitcomment-27406365
2018-02-07Prevent accidental recursive NixEelco Dolstra
2018-01-08Improve error message with --repair for untrusted usersEelco Dolstra
2017-10-24Remove the remote-builds optionEelco Dolstra
This is superfluous since you can now just set "builders" to empty, e.g. "--builders ''".
2017-08-28Give activities a verbosity level againEelco Dolstra
And print them (separately from the progress bar) given sufficient -v flags.
2017-08-28Don't send progress messages to older clientsEelco Dolstra
2017-08-28Tunnel progress messages from the daemon to the clientEelco Dolstra
This makes the progress bar work for non-root users.
2017-08-28Make TunnelLogger thread-safeEelco Dolstra
Now that we use threads in lots of places, it's possible for TunnelLogger::log() to be called asynchronously from other threads than the main loop. So we need to ensure that STDERR_NEXT messages don't clobber other messages.
2017-08-16Progress indicator: CleanupEelco Dolstra
2017-07-30Replace Unicode quotes in user-facing strings by ASCIIJörg Thalheim
Relevant RFC: NixOS/rfcs#4 $ ag -l | xargs sed -i -e "/\"/s/’/'/g;/\"/s/‘/'/g"
2017-07-04Support base-64 hashesEelco Dolstra
Also simplify the Hash API. Fixes #1437.