From 4dbbd721eb9db75d4968a624b8cb9e75e979a144 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Mon, 2 Sep 2024 20:09:35 +0200 Subject: treewide: consistently mark overridden settings as such Only overridden settings are sent to the daemon, and we're going to do the same for the build hook to. It needs to be ensured that overridden settings are in fact consistently marked as such, so that they actually get sent. Change-Id: I7cd58d925702f86cf2c35ad121eb191ceb62a355 --- src/libstore/builtins/fetchurl.cc | 4 ++-- src/libstore/daemon.cc | 19 ++++++++++--------- src/libstore/globals.cc | 18 +++++++++--------- src/libstore/remote-store.cc | 1 + 4 files changed, 22 insertions(+), 20 deletions(-) (limited to 'src/libstore') diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc index b28eb01d0..69a9f993f 100644 --- a/src/libstore/builtins/fetchurl.cc +++ b/src/libstore/builtins/fetchurl.cc @@ -13,11 +13,11 @@ void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData, this to be stored in a file. It would be nice if we could just pass a pointer to the data. */ if (netrcData != "") { - settings.netrcFile = "netrc"; + settings.netrcFile.override("netrc"); writeFile(settings.netrcFile, netrcData, 0600); } - settings.caFile = "ca-certificates.crt"; + settings.caFile.override("ca-certificates.crt"); writeFile(settings.caFile, caFileData, 0600); auto getAttr = [&](const std::string & name) { diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc index a9239197b..93b405c01 100644 --- a/src/libstore/daemon.cc +++ b/src/libstore/daemon.cc @@ -195,15 +195,15 @@ struct ClientSettings void apply(TrustedFlag trusted) { - settings.keepFailed = keepFailed; - settings.keepGoing = keepGoing; - settings.tryFallback = tryFallback; + settings.keepFailed.override(keepFailed); + settings.keepGoing.override(keepGoing); + settings.tryFallback.override(tryFallback); nix::verbosity = verbosity; - settings.maxBuildJobs.assign(maxBuildJobs); - settings.maxSilentTime = maxSilentTime; + settings.maxBuildJobs.override(maxBuildJobs); + settings.maxSilentTime.override(maxSilentTime); settings.verboseBuild = verboseBuild; - settings.buildCores = buildCores; - settings.useSubstitutes = useSubstitutes; + settings.buildCores.override(buildCores); + settings.useSubstitutes.override(useSubstitutes); for (auto & i : overrides) { auto & name(i.first); @@ -225,12 +225,13 @@ struct ClientSettings else warn("ignoring untrusted substituter '%s', you are not a trusted user.\n" "Run `man nix.conf` for more information on the `substituters` configuration option.", s); - res = subs; + res.override(subs); return true; }; try { - if (name == "ssh-auth-sock") // obsolete + if (name == "ssh-auth-sock" // obsolete + || name == "store") // the daemon *is* the store ; else if (name == experimentalFeatureSettings.experimentalFeatures.name) { // We don’t want to forward the experimental features to diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index f43b759d2..9377ac936 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -69,12 +69,12 @@ Settings::Settings() , nixManDir(canonPath(NIX_MAN_DIR)) , nixDaemonSocketFile(canonPath(getEnvNonEmpty("NIX_DAEMON_SOCKET_PATH").value_or(nixStateDir + DEFAULT_SOCKET_PATH))) { - buildUsersGroup = getuid() == 0 ? "nixbld" : ""; - allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1"; + buildUsersGroup.setDefault(getuid() == 0 ? "nixbld" : ""); + allowSymlinkedStore.setDefault(getEnv("NIX_IGNORE_SYMLINK_STORE") == "1"); auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or("")); if (sslOverride != "") - caFile = sslOverride; + caFile.setDefault(sslOverride); /* Backwards compatibility. */ auto s = getEnv("NIX_REMOTE_SYSTEMS"); @@ -82,17 +82,17 @@ Settings::Settings() Strings ss; for (auto & p : tokenizeString(*s, ":")) ss.push_back("@" + p); - builders = concatStringsSep(" ", ss); + builders.setDefault(concatStringsSep(" ", ss)); } #if defined(__linux__) && defined(SANDBOX_SHELL) - sandboxPaths = tokenizeString("/bin/sh=" SANDBOX_SHELL); + sandboxPaths.setDefault(tokenizeString("/bin/sh=" SANDBOX_SHELL)); #endif /* chroot-like behavior from Apple's sandbox */ #if __APPLE__ - sandboxPaths = tokenizeString("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib"); - allowedImpureHostPrefixes = tokenizeString("/System/Library /usr/lib /dev /bin/sh"); + sandboxPaths.setDefault(tokenizeString("/System/Library/Frameworks /System/Library/PrivateFrameworks /bin/sh /bin/bash /private/tmp /private/var/tmp /usr/lib")); + allowedImpureHostPrefixes.setDefault(tokenizeString("/System/Library /usr/lib /dev /bin/sh")); #endif /* Set the build hook location @@ -118,10 +118,10 @@ Settings::Settings() if (!pathExists(nixExePath)) { nixExePath = getSelfExe().value_or("nix"); } - buildHook = { + buildHook.setDefault(Strings { nixExePath, "__build-remote", - }; + }); } void loadConfFile() diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc index a9f9818be..ff3722085 100644 --- a/src/libstore/remote-store.cc +++ b/src/libstore/remote-store.cc @@ -139,6 +139,7 @@ void RemoteStore::setOptions(Connection & conn) overrides.erase(loggerSettings.showTrace.name); overrides.erase(experimentalFeatureSettings.experimentalFeatures.name); overrides.erase(settings.pluginFiles.name); + overrides.erase(settings.storeUri.name); // the daemon *is* the store conn.to << overrides.size(); for (auto & i : overrides) conn.to << i.first << i.second.value; -- cgit v1.2.3 From ece99fee23d53185436a91f4cdd5cf5ad9652384 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Mon, 2 Sep 2024 20:17:34 +0200 Subject: libstore/build: only send overridden settings to the build hook The build hook is still running locally, so it will run with the same default settings. Hence, just as with the daemon, it is enough to send it only the overridden settings. This will prevent warnings like warning: Ignoring setting 'auto-allocate-uids' because experimental feature 'auto-allocate-uids' is not enabled when the user didn't actually set those settings. This is inspired by and an alternative to [0]. [0] https://github.com/NixOS/nix/pull/10049 Change-Id: I77ea62cd017614b16b55979dd30e75f09f860d21 --- src/libstore/build/hook-instance.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/libstore') diff --git a/src/libstore/build/hook-instance.cc b/src/libstore/build/hook-instance.cc index 521f34917..9f76eca4d 100644 --- a/src/libstore/build/hook-instance.cc +++ b/src/libstore/build/hook-instance.cc @@ -74,7 +74,7 @@ HookInstance::HookInstance() sink = FdSink(toHook.get()); std::map settings; - globalConfig.getSettings(settings); + globalConfig.getSettings(settings, true); for (auto & setting : settings) sink << 1 << setting.first << setting.second.value; sink << 0; -- cgit v1.2.3 From 689eb45630a183f0fbbd8864cb7a3c7cb1704451 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Tue, 20 Aug 2024 19:18:53 +0200 Subject: treewide: make more settings conditionally available Some settings only make sense on particular platforms, or only when a certain experimental feature is enabled. Several of those were already conditionally available. Do the same for a bunch more instead of silently ignoring them. Exceptionally, the use-case-hack setting is not made conditional because it is included in the test suite. Change-Id: I29e66ad8ee6178a7c0eff9efb55c3410fae32514 --- src/libstore/globals.hh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'src/libstore') diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index bfba6ab01..dfb90cbe6 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -380,7 +380,8 @@ public: users in `build-users-group`. UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS. - )"}; + )", + {}, true, Xp::AutoAllocateUids}; Setting startId{this, #if __linux__ @@ -389,7 +390,10 @@ public: 56930, #endif "start-id", - "The first UID and GID to use for dynamic ID allocation."}; + "The first UID and GID to use for dynamic ID allocation.", + {}, + true, + Xp::AutoAllocateUids}; Setting uidCount{this, #if __linux__ @@ -398,7 +402,10 @@ public: 128, #endif "id-count", - "The number of UIDs/GIDs to use for dynamic ID allocation."}; + "The number of UIDs/GIDs to use for dynamic ID allocation.", + {}, + true, + Xp::AutoAllocateUids}; #if __linux__ Setting useCgroups{ @@ -409,12 +416,13 @@ public: Cgroups are required and enabled automatically for derivations that require the `uid-range` system feature. - )"}; - #endif + )", + {}, true, Xp::Cgroups}; Setting impersonateLinux26{this, false, "impersonate-linux-26", "Whether to impersonate a Linux 2.6 machine on newer kernels.", {"build-impersonate-linux-26"}}; + #endif Setting keepLog{ this, true, "keep-build-log", @@ -567,6 +575,7 @@ public: Setting sandboxFallback{this, true, "sandbox-fallback", "Whether to disable sandboxing when the kernel doesn't allow it."}; +#if __linux__ Setting requireDropSupplementaryGroups{this, getuid() == 0, "require-drop-supplementary-groups", R"( Following the principle of least privilege, @@ -585,7 +594,6 @@ public: and `false` otherwise. )"}; -#if __linux__ Setting sandboxShmSize{ this, "50%", "sandbox-dev-shm-size", R"( -- cgit v1.2.3