aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2023-02-19Merge pull request #7158 from sternenseemann/foldl-strict-accumulation-valueValentin Gagarin
2023-02-16Merge pull request #7811 from Et7f3/fix_memory_leaksRobert Hensing
Reduce memory leaks
2023-02-16ExprOpHasAttr,ExprSelect,stripIndentation,binds,formals: delete losts objectsEt7f3
We are looking for *$ because it indicate that it was constructed with a new but not release. De-referencing shallow copy so deleting as whole might create dangling pointer that's why we move it so we delete a empty containers + the nice perf boost.
2023-02-14Make /etc writability conditional on uid-range featureYorick van Pelt
2023-02-14Don't allow writing to /etcYorick van Pelt
2023-02-13Merge pull request #7744 from obsidiansystems/split-installable-store-pathtomberek
Factor out `InstallableStorePath` to its own file, dedup
2023-02-13Merge pull request #7616 from hercules-ci/fix-3898Eelco Dolstra
Fix foreign key error inserting into NARs #3898
2023-02-13Merge pull request #7804 from PJungkamp/fix-completionsEelco Dolstra
Infer short completion descriptions for commandline flags
2023-02-12ExprString: Avoid copy of stringEt7f3
2023-02-12parser: use implicit ruleEt7f3
2023-02-10Completions::add use libutil trim()Philipp Jungkamp
2023-02-10Merge pull request #7805 from edolstra/c++2aEelco Dolstra
Fix building with GCC 9
2023-02-10Merge pull request #7802 from edolstra/fix-7783Eelco Dolstra
Fix PID namespace support check
2023-02-10Fix building with GCC 9Eelco Dolstra
Nixpkgs on aarch64-linux is currently stuck on GCC 9 (https://github.com/NixOS/nixpkgs/issues/208412) and using gcc11Stdenv doesn't work either. So use c++2a instead of c++20 for now. Unfortunately this means we can't use some C++20 features for now (like std::span).
2023-02-10Merge pull request #5588 from tweag/balsoft/xdgThéophane Hufschmitt
Follow XDG Base Directory standard
2023-02-10Infer short completion descriptions for commandline flagsPhilipp Jungkamp
Descriptions for commandline flags may not include newlines and should be rather short for display in a shell. Truncate the description string of a flag on '\n' or '.' to and add an ellipsis if needed.
2023-02-10A setting to follow XDG Base Directory standardAlexander Bantyev
XDG Base Directory is a standard for locations for storing various files. Nix has a few files which seem to fit in the standard, but currently use a custom location directly in the user's ~, polluting it: - ~/.nix-profile - ~/.nix-defexpr - ~/.nix-channels This commit adds a config option (use-xdg-base-directories) to follow the XDG spec and instead use the following locations: - $XDG_STATE_HOME/nix/profile - $XDG_STATE_HOME/nix/defexpr - $XDG_STATE_HOME/nix/channels If $XDG_STATE_HOME is not set, it is assumed to be ~/.local/state. Co-authored-by: Théophane Hufschmitt <7226587+thufschmitt@users.noreply.github.com> Co-authored-by: Tim Fenney <kodekata@gmail.com> Co-authored-by: pasqui23 <pasqui23@users.noreply.github.com> Co-authored-by: Artturin <Artturin@artturin.com> Co-authored-by: John Ericson <Ericson2314@Yahoo.com>
2023-02-10Fix macOS buildEelco Dolstra
2023-02-10LocalDerivationGoal::startBuilder(): Use startProcess() to cloneEelco Dolstra
2023-02-10daemon.cc: Rename UserSettings -> AuthorizationSettingsRobert Hensing
This is a bit more accurate. It's a private name, but before you know it, someone might make it public!
2023-02-10Simplify the PID namespace check: just try to mount /procEelco Dolstra
Fixes #7783.
2023-02-09Merge pull request #7754 from obsidiansystems/narrower-scope-derivation-flagThéophane Hufschmitt
Scope down `--derivation` to just the commands that use it
2023-02-09Merge pull request #7774 from edolstra/submodule-fixesEelco Dolstra
Git submodule fixes
2023-02-09Merge pull request #7712 from Mic92/advertise-compressionsEelco Dolstra
advertise transport encoding in http transfers to
2023-02-09Improve commentEelco Dolstra
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2023-02-09Fix activity messageEelco Dolstra
Co-authored-by: Josef Kemetmüller <josef.kemetmueller@gmail.com>
2023-02-08Documentation: builtins.fetchGit when used on a local path (#7706)Joachim Breitner
* Documentation: builtins.fetchGit when used on a local path Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2023-02-07NarInfoDiskCache: Also test id consistency with updated fieldsRobert Hensing
And clarify test
2023-02-07NarInfoDiskCache: Keep BinaryCache.id stable and improve testRobert Hensing
Fixes #3898 The entire `BinaryCaches` row used to get replaced after it became stale according to the `timestamp` column. In a concurrent scenario, this leads to foreign key conflicts as different instances of the in-process `state.caches` cache now differ, with the consequence that the older process still tries to use the `id` number of the old record. Furthermore, this phenomenon appears to have caused the cache for actual narinfos to be erased about every week, while the default ttl for narinfos was supposed to be 30 days.
2023-02-07NarInfoDiskCache: Prepare reproducer for #3898Robert Hensing
2023-02-07NarInfoDiskCacheImpl: Make dbPath a parameterRobert Hensing
This allows testing with a clean database.
2023-02-07NarInfoDiskCache: Rename cacheExists -> upToDateCacheExistsRobert Hensing
This is slightly more accurate considering that an outdated record may exist in the persistent cache. Possibly-outdated records are quite relevant as they may be foreign keys to more recent information that we want to keep, but we will not return them here.
2023-02-07sqlite.cc: Add SQL tracingRobert Hensing
Set environment variable NIX_DEBUG_SQLITE_TRACES=1 to log all sql statements.
2023-02-07Print debug message if a namespace test failsEelco Dolstra
2023-02-07Mention --no-sandbox if sandboxing is unsupportedEelco Dolstra
2023-02-07More #ifdefEelco Dolstra
2023-02-07Fix macOS buildEelco Dolstra
2023-02-07Check whether we can use PID namespacesEelco Dolstra
In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible.
2023-02-07Fix auto-uid-allocation in Docker containersEelco Dolstra
This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled. So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled. This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13).
2023-02-07Fix activity messageEelco Dolstra
2023-02-07Speed up fetching submodulesEelco Dolstra
Previously we would completely refetch the submodules from the network, even though the repo might already have them. Now we copy the .git/modules directory from the repo as an optimisation. This speeds up evaluating builtins.fetchTree { type = "git"; url = "/path/to/blender"; submodules = true; } (where /path/to/blender already has the needed submodules) from 121s to 57s. This is still pretty inefficient and a hack, but a better solution is best done on the lazy-trees branch. This change also help in the case where the repo already has the submodules but the origin is unfetchable for whatever reason (e.g. there have been cases where Nix in a GitHub action doesn't have the right authentication set up).
2023-02-07Fix the origin URL used for fetching submodulesEelco Dolstra
We cannot use 'actualUrl', because for file:// repos that's not the original URL that the repo was fetched from. This is a problem since submodules may be relative to the original URL. Fixes e.g. nix eval --impure --json --expr 'builtins.fetchTree { type = "git"; url = "/path/to/blender"; submodules = true; }' where /path/to/blender is a clone of https://github.com/blender/blender.git (which has several relative submodules like '../blender-addons.git').
2023-02-07Add some progress indication when fetching submodulesEelco Dolstra
2023-02-04Scope down `--derivation` to just the commands that use itJohn Ericson
Per the old FIXME, this flag was on too many commands, and mostly ignored. Now it is just on the commands where it actually has an effect. Per https://github.com/NixOS/nix/issues/7261, I would still like to get rid of it entirely, but that is a separate project. This change should be good with or without doing that.
2023-02-03Factor out `InstallableStorePath` to its own file, dedupJohn Ericson
`nix app` had something called `InstallableDerivedPath` which is actually the same thing. We go with the later's name because it has become more correct. I originally did this change (more hurriedly) as part of #6225 --- a mini store-only Nix and a full Nix need to share this code. In the first RFC meeting for https://github.com/NixOS/rfcs/pull/134 we discussed how some splitting of the massive `installables.cc` could begin prior, as that is a good thing anyways. (@edolstra's words, not mine!) This would be one such PR.
2023-02-03advertise transport encoding in http transfers toJörg Thalheim
tl;dr: With this 1 line change I was able to get a speedup of 1.5x on 1Gbit/s wan connections by enabling zstd compression in nginx. Also nix already supported all common compression format for http transfer, webservers usually only enable them if they are advertised through the Accept-Encoding header. This pull requests makes nix advertises content compression support for zstd, br, gzip and deflate. It's particular useful to add transparent compression for binary caches that serve packages from the host nix store in particular nix-serve, nix-serve-ng and harmonia. I tried so far gzip, brotli and zstd, whereas only zstd was able to bring me performance improvements for 1Gbit/s WAN connections. The following nginx configuration was used in combination with the [zstd module](https://github.com/tokers/zstd-nginx-module) and [harmonia](https://github.com/nix-community/harmonia/) ```nix { services.nginx.virtualHosts."cache.yourhost.com" = { locations."/".extraConfig = '' proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; zstd on; zstd_types application/x-nix-archive; ''; }; } ``` For testing I unpacked a linux kernel tarball to the nix store using this command `nix-prefetch-url --unpack https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.1.8.tar.gz`. Before: ```console $ nix build && rm -rf /tmp/hello && time ./result/bin/nix copy --no-check-sigs --from https://cache.thalheim.io --to 'file:///tmp/hello?compression=none' '/nix/store/j42mahch5f0jvfmayhzwbb88sw36fvah-linux-6.1.8.tar.gz' warning: Git tree '/scratch/joerg/nix' is dirty real 0m18,375s user 0m2,889s sys 0m1,558s ``` After: ```console $ nix build && rm -rf /tmp/hello && time ./result/bin/nix copy --no-check-sigs --from https://cache.thalheim.io --to 'file:///tmp/hello?compression=none' '/nix/store/j42mahch5f0jvfmayhzwb b88sw36fvah-linux-6.1.8.tar.gz' real 0m11,884s user 0m4,130s sys 0m1,439s ``` Signed-off-by: Jörg Thalheim <joerg@thalheim.io> Update src/libstore/filetransfer.cc Co-authored-by: Théophane Hufschmitt <7226587+thufschmitt@users.noreply.github.com>
2023-02-03Merge pull request #7739 from obsidiansystems/user-settingsEelco Dolstra
Move `trustedUsers` and `allowedUsers` to separate config struct
2023-02-02Move `trustedUsers` and `allowedUsers` to separate config structJohn Ericson
These settings are not needed for libstore at all, they are just used by the nix daemon *command* for authorization on unix domain sockets. My moving them to a new configuration struct just in that file, we avoid them leaking anywhere else. Also, it is good to break up the mammoth `Settings` struct in general. Issue #5638 tracks this. The message is not changed because I do not want to regress in convenience to the user. Just saying "this connection is not trusted" doesn't tell them out to fix the issue. The ideal thing to do would be to somehow parameterize `processCommand` on how the error should be displayed, so different sorts of connections can display different information to the user based on how authentication is performed for the connection in question. This, however, is a good bit more work, so it is left for the future. This came up with me thinking about the tcp:// store (#5265). The larger project is not TCP *per se*, but the idea that it should be possible for something else to manage access control to services like the Nix Daemon, and those services simply trust or trust the incoming connection as they are told. This is a more capability-oriented way of thinking about trust than "every server implements its own auth separately" as we are used to today. Its very great that libstore itself already implements just this model, and so via this refactor I basically want to "enshrine" that so it continues to be the case.
2023-02-02Get rid of the `authHook` parameter on `processConnection`John Ericson
This is (morally) dead code. As @edolstra pointed out in https://github.com/NixOS/nix/pull/5226#discussion_r1073470813, this is no longer needed. I created this in 8d4162ff9e940ea9e2f97b07f3030a722695901a, so it is fitting that I now destroy it :).
2023-02-02Merge pull request #7736 from shlevy/plugin-files-daemonEelco Dolstra
Don't send plugin-files to the daemon.