aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-02-07Fix macOS buildEelco Dolstra
2023-02-07Check whether we can use PID namespacesEelco Dolstra
In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible.
2023-02-07Fix auto-uid-allocation in Docker containersEelco Dolstra
This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13).
2023-02-07Fix activity messageEelco Dolstra
2023-02-07Speed up fetching submodulesEelco Dolstra
Previously we would completely refetch the submodules from the network, even though the repo might already have them. Now we copy the .git/modules directory from the repo as an optimisation. This speeds up evaluating builtins.fetchTree { type = "git"; url = "/path/to/blender"; submodules = true; } (where /path/to/blender already has the needed submodules) from 121s to 57s. This is still pretty inefficient and a hack, but a better solution is best done on the lazy-trees branch. This change also help in the case where the repo already has the submodules but the origin is unfetchable for whatever reason (e.g. there have been cases where Nix in a GitHub action doesn't have the right authentication set up).
2023-02-07Fix the origin URL used for fetching submodulesEelco Dolstra
We cannot use 'actualUrl', because for file:// repos that's not the original URL that the repo was fetched from. This is a problem since submodules may be relative to the original URL. Fixes e.g. nix eval --impure --json --expr 'builtins.fetchTree { type = "git"; url = "/path/to/blender"; submodules = true; }' where /path/to/blender is a clone of https://github.com/blender/blender.git (which has several relative submodules like '../blender-addons.git').
2023-02-07Add some progress indication when fetching submodulesEelco Dolstra
2023-02-07build-remote: store maxBuildJobs before forcing it to 1Yorick van Pelt
2023-02-06build-remote: don't warn when all local build slots are takenYorick van Pelt
Previously, build-remote would show a warning if all build slots were taken, even if they would open up later. This caused a lot of spam in the logs. Disable this warning when maxJobs > 0. See #6263
2023-02-04Scope down `--derivation` to just the commands that use itJohn Ericson
Per the old FIXME, this flag was on too many commands, and mostly ignored. Now it is just on the commands where it actually has an effect. Per https://github.com/NixOS/nix/issues/7261, I would still like to get rid of it entirely, but that is a separate project. This change should be good with or without doing that.
2023-02-03Factor out `InstallableStorePath` to its own file, dedupJohn Ericson
`nix app` had something called `InstallableDerivedPath` which is actually the same thing. We go with the later's name because it has become more correct. I originally did this change (more hurriedly) as part of #6225 --- a mini store-only Nix and a full Nix need to share this code. In the first RFC meeting for https://github.com/NixOS/rfcs/pull/134 we discussed how some splitting of the massive `installables.cc` could begin prior, as that is a good thing anyways. (@edolstra's words, not mine!) This would be one such PR.
2023-02-03advertise transport encoding in http transfers toJörg Thalheim
tl;dr: With this 1 line change I was able to get a speedup of 1.5x on 1Gbit/s wan connections by enabling zstd compression in nginx. Also nix already supported all common compression format for http transfer, webservers usually only enable them if they are advertised through the Accept-Encoding header. This pull requests makes nix advertises content compression support for zstd, br, gzip and deflate. It's particular useful to add transparent compression for binary caches that serve packages from the host nix store in particular nix-serve, nix-serve-ng and harmonia. I tried so far gzip, brotli and zstd, whereas only zstd was able to bring me performance improvements for 1Gbit/s WAN connections. The following nginx configuration was used in combination with the [zstd module](https://github.com/tokers/zstd-nginx-module) and [harmonia](https://github.com/nix-community/harmonia/) ```nix { services.nginx.virtualHosts."cache.yourhost.com" = { locations."/".extraConfig = '' proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; zstd on; zstd_types application/x-nix-archive; ''; }; } ``` For testing I unpacked a linux kernel tarball to the nix store using this command `nix-prefetch-url --unpack https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.1.8.tar.gz`. Before: ```console $ nix build && rm -rf /tmp/hello && time ./result/bin/nix copy --no-check-sigs --from https://cache.thalheim.io --to 'file:///tmp/hello?compression=none' '/nix/store/j42mahch5f0jvfmayhzwbb88sw36fvah-linux-6.1.8.tar.gz' warning: Git tree '/scratch/joerg/nix' is dirty real 0m18,375s user 0m2,889s sys 0m1,558s ``` After: ```console $ nix build && rm -rf /tmp/hello && time ./result/bin/nix copy --no-check-sigs --from https://cache.thalheim.io --to 'file:///tmp/hello?compression=none' '/nix/store/j42mahch5f0jvfmayhzwb b88sw36fvah-linux-6.1.8.tar.gz' real 0m11,884s user 0m4,130s sys 0m1,439s ``` Signed-off-by: Jörg Thalheim <joerg@thalheim.io> Update src/libstore/filetransfer.cc Co-authored-by: Théophane Hufschmitt <7226587+thufschmitt@users.noreply.github.com>
2023-02-03Merge pull request #7739 from obsidiansystems/user-settingsEelco Dolstra
Move `trustedUsers` and `allowedUsers` to separate config struct
2023-02-02Move `trustedUsers` and `allowedUsers` to separate config structJohn Ericson
These settings are not needed for libstore at all, they are just used by the nix daemon *command* for authorization on unix domain sockets. My moving them to a new configuration struct just in that file, we avoid them leaking anywhere else. Also, it is good to break up the mammoth `Settings` struct in general. Issue #5638 tracks this. The message is not changed because I do not want to regress in convenience to the user. Just saying "this connection is not trusted" doesn't tell them out to fix the issue. The ideal thing to do would be to somehow parameterize `processCommand` on how the error should be displayed, so different sorts of connections can display different information to the user based on how authentication is performed for the connection in question. This, however, is a good bit more work, so it is left for the future. This came up with me thinking about the tcp:// store (#5265). The larger project is not TCP *per se*, but the idea that it should be possible for something else to manage access control to services like the Nix Daemon, and those services simply trust or trust the incoming connection as they are told. This is a more capability-oriented way of thinking about trust than "every server implements its own auth separately" as we are used to today. Its very great that libstore itself already implements just this model, and so via this refactor I basically want to "enshrine" that so it continues to be the case.
2023-02-02Get rid of the `authHook` parameter on `processConnection`John Ericson
This is (morally) dead code. As @edolstra pointed out in https://github.com/NixOS/nix/pull/5226#discussion_r1073470813, this is no longer needed. I created this in 8d4162ff9e940ea9e2f97b07f3030a722695901a, so it is fitting that I now destroy it :).
2023-02-02Merge pull request #7736 from shlevy/plugin-files-daemonEelco Dolstra
Don't send plugin-files to the daemon.
2023-02-02daemon: Warn on old clients passing unexpected plugin-files.Shea Levy
The setting itself was already ignored due to exception trying to set pluginFiles.
2023-02-01Don't send plugin-files to the daemon.Shea Levy
This is radically unsafe and the daemon has already loaded its plugins anyway. Fixes cachix/devenv#276
2023-02-01nix-shell: Colour the prompt red if the user is rootJamie Quigley
This matches the nixos prompt colours - green for standard user, red for root
2023-02-01Fix clang compilationEelco Dolstra
2023-02-01Remove an unused captureEelco Dolstra
2023-02-01Merge pull request #7723 from yorickvP/nix-store-ping-jsonEelco Dolstra
nix store ping: add --json flag
2023-02-01Merge pull request #7716 from obsidiansystems/small-storePath-cleanupsThéophane Hufschmitt
Separate `path.hh` from `content-address.hh`
2023-02-01Merge pull request #7717 from obsidiansystems/delete-dead-codeEelco Dolstra
Delete dead code
2023-02-01Merge pull request #7667 from dramforever/flake-search-attrThéophane Hufschmitt
Better error message for nix search when attr is not found
2023-02-01Merge pull request #7726 from hercules-ci/flake-show-when-empty-hideEelco Dolstra
nix flake show: Ignore empty attrsets
2023-02-01Merge pull request #7203 from graham33/feature/cpp20Eelco Dolstra
Proposal: Use C++20
2023-01-31nix flake show: Ignore empty attrsetsRobert Hensing
For frameworks it's important that structures are as lazy as possible to prevent infinite recursions, performance issues and errors that aren't related to the thing to evaluate. As a consequence, they have to emit more attributes than strictly (sic) necessary. However, these attributes with empty values are not useful to the user so we omit them.
2023-01-31nix store ping: try to print json if connect() fails aswellYorick van Pelt
2023-01-31nix store ping: add --json flagYorick van Pelt
2023-01-30Merge pull request #7713 from obsidiansystems/more-rapid-checkRobert Hensing
Add more property tests
2023-01-30Delete dead codeJohn Ericson
The references set seems to have been unused since `LegacySSHStore` references were first created in caa5793b4a74049ee37dd88eb1c5b785456ce40d. The method decls never were upstream, and accidentally added by me in 062533f7cdb74026096ca8c7d5b6e393893d59ef (probably due to `git rerere`). Sorry! This reduces the diff from #3746.
2023-01-31Fix extra "." in CmdSearch::getDefaultFlakeAttrPathsdramforever
No other getDefaultFlakeAttrPaths implementation has this trailing dot, and the dot can show up in error messages like: error: flake '...' does not provide attribute 'packages.x86_64-linux.', ...
2023-01-31Installable::getCursors: Cleanupdramforever
- Clarify doc comments, Installables::getCursors returns non-empty vector - Use vector::at in Installable::getCursor instead of checking for empty vector and throwing an exception with error message.
2023-01-30InstallableFlake: Handle missing attr in getCursorsdramforever
Handle the case where none of getActualAttrPaths() actually exists, in which case instead of returning an empty vector. This fixes the case where the user misspells the attribute name in nix search. Instead of getting no search results, now it shows an error with suggestions. Also remove InstallableFlake::getCursor() override since it's now equivalent to the base class version.
2023-01-30Make per-variant Arbitrary impls tooJohn Ericson
This is a nice idea that @roberth requested. If we could factor our a generic `std::variant` impl as a follow-up it would be even better!
2023-01-30Separate `path.hh` from `content-address.hh`John Ericson
It is good to separate concerns; `StorePath` (in general) has nothing to do with `ContentAddress` anyways. This reduces the diff from #3746.
2023-01-30Avoid some `StorePath` <-> `Path` round tripsJohn Ericson
Avoid needless work and throwing away invariants. These conversions date back to when `StorePath` was in Rust and there were issues with it missing utility methods.
2023-01-30Merge pull request #5226 from NixOS/client-side-profilesEelco Dolstra
Move the default profiles to the user’s home
2023-01-30Merge pull request #6988 from max-privatevoid/pr-flake-show-foreignThéophane Hufschmitt
nix flake show: don't evaluate derivations for foreign systems by default
2023-01-30Merge pull request #7087 from ncfavier/referenceablePathsThéophane Hufschmitt
Self-contained outputs
2023-01-30Merge pull request #7645 from ↵Théophane Hufschmitt
typetetris/fix-url-parsing-file-as-application-scheme Fix url parsing for urls using `file+`
2023-01-30Merge branch 'master' into referenceablePathsThéophane Hufschmitt
2023-01-30Merge pull request #7689 from ncfavier/nix-path-restrict-evalThéophane Hufschmitt
getDefaultNixPath: actually respect `{restrict,pure}-eval`
2023-01-29More property testsJohn Ericson
Also put proper comparison methods on `DerivedPath` and `NixStringContextElem`, which is needed for the tests but good in general.
2023-01-29Allow unit test infra to be reused across libs' testsJohn Ericson
This allows using Arbitrary "instances" defined in libstore-tests in libexpr-tests, something we will leverage in a moment.
2023-01-27apply showAllSystems to legacyPackages as wellMax
2023-01-27Document default `nix-path` valueNaïm Favier
2023-01-27getDefaultNixPath: actually respect `{restrict,pure}-eval`Naïm Favier
Previously, getDefaultNixPath was called too early: at initialisation time, before CLI and config have been processed, when `restrictEval` and `pureEval` both have their default value `false`. Call it when initialising the EvalState instead, and use `setDefault`.
2023-01-27Merge remote-tracking branch 'nixos/master' into pr-flake-show-foreignThéophane Hufschmitt