Add a setting for enabling cgroups

doc/manual/src/release-notes/rl-next.md

@@ -43,10 +43,11 @@
 
   ```
   extra-experimental-features = cgroups
+  use-cgroups = true
   ```
 
-  to `nix.conf`. It is also automatically enabled for builds that
+  to `nix.conf`. Cgroups are required for derivations that require the
-  require the `uid-range` system feature.
+  `uid-range` system feature.
 
 * `nix build --json` now prints some statistics about top-level
   derivations, such as CPU statistics when cgroups are enabled.

src/libstore/build/local-derivation-goal.cc

@@ -401,9 +401,14 @@ static void linkOrCopy(const Path & from, const Path & to)
 void LocalDerivationGoal::startBuilder()
 {
     if ((buildUser && buildUser->getUIDCount() != 1)
-        || settings.isExperimentalFeatureEnabled(Xp::Cgroups))
+        #if __linux__
+        || settings.useCgroups
+        #endif
+        )
     {
         #if __linux__
+        settings.requireExperimentalFeature(Xp::Cgroups);
+
         auto ourCgroups = getCgroups("/proc/self/cgroup");
         auto ourCgroup = ourCgroups[""];
         if (ourCgroup == "")

src/libstore/globals.hh

@@ -304,6 +304,17 @@ public:
         "id-count",
         "The number of UIDs/GIDs to use for dynamic ID allocation."};
 
+    #if __linux__
+    Setting<bool> useCgroups{
+        this, false, "use-cgroups",
+        R"(
+          Whether to execute builds inside cgroups. Cgroups are
+          enabled automatically for derivations that require the
+          `uid-range` system feature.
+        )"
+    };
+    #endif
+
     Setting<bool> impersonateLinux26{this, false, "impersonate-linux-26",
         "Whether to impersonate a Linux 2.6 machine on newer kernels.",
         {"build-impersonate-linux-26"}};
@@ -592,10 +603,10 @@ public:
           cache) must have a signature by a trusted key. A trusted key is one
           listed in `trusted-public-keys`, or a public key counterpart to a
           private key stored in a file listed in `secret-key-files`.
-          
+
           Set to `false` to disable signature checking and trust all
           non-content-addressed paths unconditionally.
-          
+
           (Content-addressed paths are inherently trustworthy and thus
           unaffected by this configuration option.)
         )"};
@@ -681,7 +692,7 @@ public:
           is `root`.
 
           > **Warning**
-          > 
+          >
           > Adding a user to `trusted-users` is essentially equivalent to
           > giving that user root access to the system. For example, the user
           > can set `sandbox-paths` and thereby obtain read access to
@@ -771,13 +782,13 @@ public:
           The program executes with no arguments. The program's environment
           contains the following environment variables:
 
-            - `DRV_PATH`  
+            - `DRV_PATH`
               The derivation for the built paths.
 
               Example:
               `/nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv`
 
-            - `OUT_PATHS`  
+            - `OUT_PATHS`
               Output paths of the built derivation, separated by a space
               character.
 
@@ -815,7 +826,7 @@ public:
           documentation](https://ec.haxx.se/usingcurl-netrc.html).
 
           > **Note**
-          > 
+          >
           > This must be an absolute path, and `~` is not resolved. For
           > example, `~/.netrc` won't resolve to your home directory's
           > `.netrc`.

tests/containers.nix

@@ -23,7 +23,7 @@ makeTest ({
           nix.binaryCaches = lib.mkForce [ ];
           nix.extraOptions =
             ''
-              extra-experimental-features = nix-command auto-allocate-uids
+              extra-experimental-features = nix-command auto-allocate-uids cgroups
               extra-system-features = uid-range
             '';
           nix.nixPath = [ "nixpkgs=${nixpkgs}" ];