| Age | Commit message (Collapse) | Author |
|---|
|
'nix-daemon' now creates subdirectories for users when they first
connect.
Fixes #509 (CVE-2019-17365).
Should also fix #3127.
|
|
|
|
In a daemon-based Nix setup, some options cannot be overridden by a
client unless the client's user is considered trusted.
Currently, if an untrusted user tries to override one of those
options, we are silently ignoring it.
This can be pretty confusing in certain situations.
e.g. a user thinks he disabled the sandbox when in reality he did not.
We are now sending a warning message letting know the user some options
have been ignored.
Related to #1761.
|
|
They're pretty much root anyway.
|
|
This is less brittle than filtering paths after the fact in
nix-daemon.
|
|
|
|
|
|
This new structure makes more sense as there may be many sources rooting
the same store path. Many profiles can reference the same path but this
is even more true with /proc/<pid>/maps where distinct pids can and
often do map the same store path.
This implementation is also more efficient as the `Roots` map contains
only one entry per rooted store path.
|
|
|
|
These are all symlinks to 'nix' now, reducing the installed size by
about ~1.7 MiB.
|
|
|
|
(cherry picked from commit a94a2eb1cb1c81e90a7529be5fecac27899a3442)
|
|
It adds a new operation, cmdAddToStoreNar, that does the same thing as
the corresponding nix-daemon operation, i.e. call addToStore(). This
replaces cmdImportPaths, which has the major issue that it sends the
NAR first and the store path second, thus requiring us to store the
incoming NAR either in memory or on disk until we decide what to do
with it.
For example, this reduces the memory usage of
$ nix copy --to 'ssh://localhost?remote-store=/tmp/nix' /nix/store/95cwv4q54dc6giaqv6q6p4r02ia2km35-blender-2.79
from 267 MiB to 12 MiB.
Probably fixes #1988.
|
|
For example, this allows you to do run nix-daemon as a non-privileged
user:
eelco$ NIX_STATE_DIR=~/my-nix/nix/var nix-daemon --store ~/my-nix/
The NIX_STATE_DIR is still needed because settings.nixDaemonSocketFile
is not derived from settings.storeUri (and we can't derive it from the
store's state directory because we don't want to open the store in the
parent process).
|
|
|
|
Continuation of 97002b684c902dadcd351a67208f9c2a88ff8f8f. This makes
the daemon use constant memory. For example, it reduces the daemon's
maximum RSS on
$ nix copy --from ~/my-nix --to daemon /nix/store/1n7x0yv8vq6zi90hfmian84vdhd04bgp-blender-2.79a
from 264 MiB to 7 MiB.
We now use a TunnelSource to prevent the connection from ending up in
an undefined state if an exception is thrown while the NAR is being
sent.
Issue https://github.com/NixOS/nix/issues/1681.
|
|
|
|
Fixes #2169.
|
|
Fixes #2058.
|
|
|
|
copyStorePath() now pipes the output of srcStore->narFromPath()
directly into dstStore->addToStore(). The sink used by the former is
converted into a source usable by the latter using
boost::coroutine2. This is based on [1].
This reduces the maximum resident size of
$ nix build --store ~/my-nix/ /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1 --substituters file:///tmp/binary-cache-xz/ --no-require-sigs
from 418592 KiB to 53416 KiB. (The previous commit also reduced the
runtime from ~4.2s to ~3.4s, not sure why.) A further improvement will
be to download files into a Sink.
[1] https://github.com/NixOS/nix/compare/master...Mathnerd314:dump-fix-coroutine#diff-dcbcac55a634031f9cc73707da6e4b18
Issue #1969.
|
|
|
|
|
|
All plugins in plugin-files will be dlopened, allowing them to
statically construct instances of the various Register* types Nix
supports.
|
|
See:
https://github.com/NixOS/nix/commit/88b5d0c8e89afefbc547b6243c5aa5a3ec8176e9#commitcomment-27406365
|
|
|
|
|
|
This is superfluous since you can now just set "builders" to empty,
e.g. "--builders ''".
|
|
And print them (separately from the progress bar) given sufficient -v
flags.
|
|
|
|
This makes the progress bar work for non-root users.
|
|
Now that we use threads in lots of places, it's possible for
TunnelLogger::log() to be called asynchronously from other threads
than the main loop. So we need to ensure that STDERR_NEXT messages
don't clobber other messages.
|
|
|
|
Relevant RFC: NixOS/rfcs#4
$ ag -l | xargs sed -i -e "/\"/s/’/'/g;/\"/s/‘/'/g"
|
|
Also simplify the Hash API.
Fixes #1437.
|
|
Functions like copyClosure() had 3 bool arguments, which creates a
severe risk of mixing up arguments.
Also, implement copyClosure() using copyPaths().
|
|
|
|
Note that a trusted signature was still required in this case so it
was not a huge deal.
|
|
|
|
|
|
|
|
|
|
These are no longer used anywhere.
|
|
|
|
This makes all config options self-documenting.
Unknown or unparseable config settings and --option flags now cause a
warning.
|
|
|
|
This provides a significant speedup, e.g. 64 s -> 12 s for
nix-build --dry-run -I nixpkgs=channel:nixos-16.03 '<nixpkgs/nixos/tests/misc.nix>' -A test
on a cold local and CloudFront cache.
The alternative is to use lots of concurrent daemon connections but
that seems wasteful.
|
|
This is useless because the client also caches path info, and can
cause problems for long-running clients like hydra-queue-runner
(i.e. it may return cached info about paths that have been
garbage-collected).
|
|
When receiving a very large file, this can prevent the string from
having tobe copied, which temporarily doubles memory consumption.
|
|
This allows the NAR to be streamed in the future (though we're not
doing that yet).
|
