forked from lix-project/lix
Merge branch 'rework-options' of https://github.com/copumpkin/nix
This commit is contained in:
commit
1860070548
11 changed files with 222 additions and 93 deletions
|
@ -299,7 +299,7 @@ EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
|
||||||
{
|
{
|
||||||
countCalls = getEnv("NIX_COUNT_CALLS", "0") != "0";
|
countCalls = getEnv("NIX_COUNT_CALLS", "0") != "0";
|
||||||
|
|
||||||
restricted = settings.get("restrict-eval", false);
|
restricted = settings.restrictEval;
|
||||||
|
|
||||||
assert(gcInitialised);
|
assert(gcInitialised);
|
||||||
|
|
||||||
|
|
|
@ -34,13 +34,6 @@
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
|
|
||||||
/* chroot-like behavior from Apple's sandbox */
|
|
||||||
#if __APPLE__
|
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
|
|
||||||
#else
|
|
||||||
#define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Includes required for chroot support. */
|
/* Includes required for chroot support. */
|
||||||
#if __linux__
|
#if __linux__
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
@ -1279,7 +1272,7 @@ void DerivationGoal::inputsRealised()
|
||||||
|
|
||||||
/* Don't repeat fixed-output derivations since they're already
|
/* Don't repeat fixed-output derivations since they're already
|
||||||
verified by their output hash.*/
|
verified by their output hash.*/
|
||||||
nrRounds = fixedOutput ? 1 : settings.get("build-repeat", 0) + 1;
|
nrRounds = fixedOutput ? 1 : settings.buildRepeat + 1;
|
||||||
|
|
||||||
/* Okay, try to build. Note that here we don't wait for a build
|
/* Okay, try to build. Note that here we don't wait for a build
|
||||||
slot to become available, since we don't need one if there is a
|
slot to become available, since we don't need one if there is a
|
||||||
|
@ -1697,9 +1690,7 @@ void DerivationGoal::startBuilder()
|
||||||
|
|
||||||
/* Are we doing a chroot build? */
|
/* Are we doing a chroot build? */
|
||||||
{
|
{
|
||||||
string x = settings.get("build-use-sandbox",
|
string x = settings.useSandbox;
|
||||||
/* deprecated alias */
|
|
||||||
settings.get("build-use-chroot", string("false")));
|
|
||||||
if (x != "true" && x != "false" && x != "relaxed")
|
if (x != "true" && x != "false" && x != "relaxed")
|
||||||
throw Error("option ‘build-use-sandbox’ must be set to one of ‘true’, ‘false’ or ‘relaxed’");
|
throw Error("option ‘build-use-sandbox’ must be set to one of ‘true’, ‘false’ or ‘relaxed’");
|
||||||
if (x == "true") {
|
if (x == "true") {
|
||||||
|
@ -1756,21 +1747,10 @@ void DerivationGoal::startBuilder()
|
||||||
|
|
||||||
if (useChroot) {
|
if (useChroot) {
|
||||||
|
|
||||||
string defaultChrootDirs;
|
|
||||||
#if __linux__
|
|
||||||
if (worker.store.isInStore(BASH_PATH))
|
|
||||||
defaultChrootDirs = "/bin/sh=" BASH_PATH;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Allow a user-configurable set of directories from the
|
/* Allow a user-configurable set of directories from the
|
||||||
host file system. */
|
host file system. */
|
||||||
PathSet dirs = tokenizeString<StringSet>(
|
PathSet dirs = settings.sandboxPaths;
|
||||||
settings.get("build-sandbox-paths",
|
PathSet dirs2 = settings.extraSandboxPaths;
|
||||||
/* deprecated alias with lower priority */
|
|
||||||
settings.get("build-chroot-dirs", defaultChrootDirs)));
|
|
||||||
PathSet dirs2 = tokenizeString<StringSet>(
|
|
||||||
settings.get("build-extra-chroot-dirs",
|
|
||||||
settings.get("build-extra-sandbox-paths", string(""))));
|
|
||||||
dirs.insert(dirs2.begin(), dirs2.end());
|
dirs.insert(dirs2.begin(), dirs2.end());
|
||||||
|
|
||||||
dirsInChroot.clear();
|
dirsInChroot.clear();
|
||||||
|
@ -1802,8 +1782,7 @@ void DerivationGoal::startBuilder()
|
||||||
for (auto & i : closure)
|
for (auto & i : closure)
|
||||||
dirsInChroot[i] = i;
|
dirsInChroot[i] = i;
|
||||||
|
|
||||||
string allowed = settings.get("allowed-impure-host-deps", string(DEFAULT_ALLOWED_IMPURE_PREFIXES));
|
PathSet allowedPaths = settings.allowedImpureHostPrefixes;
|
||||||
PathSet allowedPaths = tokenizeString<StringSet>(allowed);
|
|
||||||
|
|
||||||
/* This works like the above, except on a per-derivation level */
|
/* This works like the above, except on a per-derivation level */
|
||||||
Strings impurePaths = tokenizeString<Strings>(get(drv->env, "__impureHostDeps"));
|
Strings impurePaths = tokenizeString<Strings>(get(drv->env, "__impureHostDeps"));
|
||||||
|
@ -1823,7 +1802,7 @@ void DerivationGoal::startBuilder()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!found)
|
if (!found)
|
||||||
throw Error(format("derivation ‘%1%’ requested impure path ‘%2%’, but it was not in allowed-impure-host-deps (‘%3%’)") % drvPath % i % allowed);
|
throw Error(format("derivation ‘%1%’ requested impure path ‘%2%’, but it was not in allowed-impure-host-deps") % drvPath % i);
|
||||||
|
|
||||||
dirsInChroot[i] = i;
|
dirsInChroot[i] = i;
|
||||||
}
|
}
|
||||||
|
@ -2444,7 +2423,7 @@ void DerivationGoal::runChild()
|
||||||
/* Mount a new tmpfs on /dev/shm to ensure that whatever
|
/* Mount a new tmpfs on /dev/shm to ensure that whatever
|
||||||
the builder puts in /dev/shm is cleaned up automatically. */
|
the builder puts in /dev/shm is cleaned up automatically. */
|
||||||
if (pathExists("/dev/shm") && mount("none", (chrootRootDir + "/dev/shm").c_str(), "tmpfs", 0,
|
if (pathExists("/dev/shm") && mount("none", (chrootRootDir + "/dev/shm").c_str(), "tmpfs", 0,
|
||||||
fmt("size=%s", settings.get("sandbox-dev-shm-size", std::string("50%"))).c_str()) == -1)
|
fmt("size=%s", settings.sandboxShmSize).c_str()) == -1)
|
||||||
throw SysError("mounting /dev/shm");
|
throw SysError("mounting /dev/shm");
|
||||||
|
|
||||||
/* Mount a new devpts on /dev/pts. Note that this
|
/* Mount a new devpts on /dev/pts. Note that this
|
||||||
|
@ -2602,7 +2581,7 @@ void DerivationGoal::runChild()
|
||||||
sandboxProfile += "(version 1)\n";
|
sandboxProfile += "(version 1)\n";
|
||||||
|
|
||||||
/* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
|
/* Violations will go to the syslog if you set this. Unfortunately the destination does not appear to be configurable */
|
||||||
if (settings.get("darwin-log-sandbox-violations", false)) {
|
if (settings.darwinLogSandboxViolations) {
|
||||||
sandboxProfile += "(deny default)\n";
|
sandboxProfile += "(deny default)\n";
|
||||||
} else {
|
} else {
|
||||||
sandboxProfile += "(deny default (with no-log))\n";
|
sandboxProfile += "(deny default (with no-log))\n";
|
||||||
|
@ -2749,7 +2728,7 @@ void DerivationGoal::registerOutputs()
|
||||||
InodesSeen inodesSeen;
|
InodesSeen inodesSeen;
|
||||||
|
|
||||||
Path checkSuffix = ".check";
|
Path checkSuffix = ".check";
|
||||||
bool runDiffHook = settings.get("run-diff-hook", false);
|
bool runDiffHook = settings.runDiffHook;
|
||||||
bool keepPreviousRound = settings.keepFailed || runDiffHook;
|
bool keepPreviousRound = settings.keepFailed || runDiffHook;
|
||||||
|
|
||||||
/* Check whether the output paths were created, and grep each
|
/* Check whether the output paths were created, and grep each
|
||||||
|
@ -2990,7 +2969,7 @@ void DerivationGoal::registerOutputs()
|
||||||
? fmt("output ‘%1%’ of ‘%2%’ differs from ‘%3%’ from previous round", i->path, drvPath, prev)
|
? fmt("output ‘%1%’ of ‘%2%’ differs from ‘%3%’ from previous round", i->path, drvPath, prev)
|
||||||
: fmt("output ‘%1%’ of ‘%2%’ differs from previous round", i->path, drvPath);
|
: fmt("output ‘%1%’ of ‘%2%’ differs from previous round", i->path, drvPath);
|
||||||
|
|
||||||
auto diffHook = settings.get("diff-hook", std::string(""));
|
auto diffHook = settings.diffHook;
|
||||||
if (prevExists && diffHook != "" && runDiffHook) {
|
if (prevExists && diffHook != "" && runDiffHook) {
|
||||||
try {
|
try {
|
||||||
auto diff = runProgram(diffHook, true, {prev, i->path});
|
auto diff = runProgram(diffHook, true, {prev, i->path});
|
||||||
|
@ -3001,7 +2980,7 @@ void DerivationGoal::registerOutputs()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (settings.get("enforce-determinism", true))
|
if (settings.enforceDeterminism)
|
||||||
throw NotDeterministic(msg);
|
throw NotDeterministic(msg);
|
||||||
|
|
||||||
printError(msg);
|
printError(msg);
|
||||||
|
|
|
@ -105,14 +105,12 @@ PublicKeys getDefaultPublicKeys()
|
||||||
|
|
||||||
// FIXME: filter duplicates
|
// FIXME: filter duplicates
|
||||||
|
|
||||||
for (auto s : settings.get("binary-cache-public-keys",
|
for (auto s : settings.binaryCachePublicKeys) {
|
||||||
Strings{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="}))
|
|
||||||
{
|
|
||||||
PublicKey key(s);
|
PublicKey key(s);
|
||||||
publicKeys.emplace(key.name, key);
|
publicKeys.emplace(key.name, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (auto secretKeyFile : settings.get("secret-key-files", Strings())) {
|
for (auto secretKeyFile : settings.secretKeyFiles) {
|
||||||
try {
|
try {
|
||||||
SecretKey secretKey(readFile(secretKeyFile));
|
SecretKey secretKey(readFile(secretKeyFile));
|
||||||
publicKeys.emplace(secretKey.name, secretKey.toPublicKey());
|
publicKeys.emplace(secretKey.name, secretKey.toPublicKey());
|
||||||
|
|
|
@ -369,9 +369,9 @@ struct CurlDownloader : public Downloader
|
||||||
curl_multi_setopt(curlm, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
|
curl_multi_setopt(curlm, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
|
||||||
#endif
|
#endif
|
||||||
curl_multi_setopt(curlm, CURLMOPT_MAX_TOTAL_CONNECTIONS,
|
curl_multi_setopt(curlm, CURLMOPT_MAX_TOTAL_CONNECTIONS,
|
||||||
settings.get("binary-caches-parallel-connections", 25));
|
settings.binaryCachesParallelConnections);
|
||||||
|
|
||||||
enableHttp2 = settings.get("enable-http2", true);
|
enableHttp2 = settings.enableHttp2;
|
||||||
|
|
||||||
wakeupPipe.create();
|
wakeupPipe.create();
|
||||||
fcntl(wakeupPipe.readSide.get(), F_SETFL, O_NONBLOCK);
|
fcntl(wakeupPipe.readSide.get(), F_SETFL, O_NONBLOCK);
|
||||||
|
@ -611,7 +611,7 @@ Path Downloader::downloadCached(ref<Store> store, const string & url_, bool unpa
|
||||||
|
|
||||||
string expectedETag;
|
string expectedETag;
|
||||||
|
|
||||||
int ttl = settings.get("tarball-ttl", 60 * 60);
|
int ttl = settings.tarballTtl;
|
||||||
bool skip = false;
|
bool skip = false;
|
||||||
|
|
||||||
if (pathExists(fileLink) && pathExists(dataFile)) {
|
if (pathExists(fileLink) && pathExists(dataFile)) {
|
||||||
|
|
|
@ -17,12 +17,23 @@ namespace nix {
|
||||||
must be deleted and recreated on startup.) */
|
must be deleted and recreated on startup.) */
|
||||||
#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
|
#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
|
||||||
|
|
||||||
|
/* chroot-like behavior from Apple's sandbox */
|
||||||
|
#if __APPLE__
|
||||||
|
#define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
|
||||||
|
#else
|
||||||
|
#define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
|
||||||
|
#endif
|
||||||
|
|
||||||
Settings settings;
|
Settings settings;
|
||||||
|
|
||||||
|
|
||||||
Settings::Settings()
|
Settings::Settings()
|
||||||
{
|
{
|
||||||
|
deprecatedOptions = StringSet({
|
||||||
|
"build-use-chroot", "build-chroot-dirs", "build-extra-chroot-dirs",
|
||||||
|
"this-option-never-existed-but-who-will-know"
|
||||||
|
});
|
||||||
|
|
||||||
nixPrefix = NIX_PREFIX;
|
nixPrefix = NIX_PREFIX;
|
||||||
nixStore = canonPath(getEnv("NIX_STORE_DIR", getEnv("NIX_STORE", NIX_STORE_DIR)));
|
nixStore = canonPath(getEnv("NIX_STORE_DIR", getEnv("NIX_STORE", NIX_STORE_DIR)));
|
||||||
nixDataDir = canonPath(getEnv("NIX_DATA_DIR", NIX_DATA_DIR));
|
nixDataDir = canonPath(getEnv("NIX_DATA_DIR", NIX_DATA_DIR));
|
||||||
|
@ -71,6 +82,32 @@ Settings::Settings()
|
||||||
netrcFile = fmt("%s/%s", nixConfDir, "netrc");
|
netrcFile = fmt("%s/%s", nixConfDir, "netrc");
|
||||||
caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
|
caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt"));
|
||||||
enableImportFromDerivation = true;
|
enableImportFromDerivation = true;
|
||||||
|
useSandbox = "false"; // TODO: make into an enum
|
||||||
|
|
||||||
|
#if __linux__
|
||||||
|
sandboxPaths = tokenizeString<StringSet>("/bin/sh=" BASH_PATH);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
restrictEval = false;
|
||||||
|
buildRepeat = 0;
|
||||||
|
allowedImpureHostPrefixes = tokenizeString<StringSet>(DEFAULT_ALLOWED_IMPURE_PREFIXES);
|
||||||
|
sandboxShmSize = "50%";
|
||||||
|
darwinLogSandboxViolations = false;
|
||||||
|
runDiffHook = false;
|
||||||
|
diffHook = "";
|
||||||
|
enforceDeterminism = true;
|
||||||
|
binaryCachePublicKeys = Strings{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="};
|
||||||
|
secretKeyFiles = Strings();
|
||||||
|
binaryCachesParallelConnections = 25;
|
||||||
|
enableHttp2 = true;
|
||||||
|
tarballTtl = 60 * 60;
|
||||||
|
signedBinaryCaches = "";
|
||||||
|
substituters = Strings();
|
||||||
|
binaryCaches = nixStore == "/nix/store" ? Strings{"https://cache.nixos.org/"} : Strings();
|
||||||
|
extraBinaryCaches = Strings();
|
||||||
|
trustedUsers = Strings({"root"});
|
||||||
|
allowedUsers = Strings({"*"});
|
||||||
|
printMissing = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -113,44 +150,12 @@ void Settings::set(const string & name, const string & value)
|
||||||
overrides[name] = value;
|
overrides[name] = value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
string Settings::get(const string & name, const string & def)
|
|
||||||
{
|
|
||||||
auto i = settings.find(name);
|
|
||||||
if (i == settings.end()) return def;
|
|
||||||
return i->second;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
Strings Settings::get(const string & name, const Strings & def)
|
|
||||||
{
|
|
||||||
auto i = settings.find(name);
|
|
||||||
if (i == settings.end()) return def;
|
|
||||||
return tokenizeString<Strings>(i->second);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
bool Settings::get(const string & name, bool def)
|
|
||||||
{
|
|
||||||
bool res = def;
|
|
||||||
_get(res, name);
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
int Settings::get(const string & name, int def)
|
|
||||||
{
|
|
||||||
int res = def;
|
|
||||||
_get(res, name);
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
void Settings::update()
|
void Settings::update()
|
||||||
{
|
{
|
||||||
_get(tryFallback, "build-fallback");
|
_get(tryFallback, "build-fallback");
|
||||||
|
|
||||||
auto s = get("build-max-jobs", std::string("1"));
|
std::string s = "1";
|
||||||
|
_get(s, "build-max-jobs");
|
||||||
if (s == "auto")
|
if (s == "auto")
|
||||||
maxBuildJobs = std::max(1U, std::thread::hardware_concurrency());
|
maxBuildJobs = std::max(1U, std::thread::hardware_concurrency());
|
||||||
else
|
else
|
||||||
|
@ -186,13 +191,71 @@ void Settings::update()
|
||||||
_get(keepFailed, "keep-failed");
|
_get(keepFailed, "keep-failed");
|
||||||
_get(netrcFile, "netrc-file");
|
_get(netrcFile, "netrc-file");
|
||||||
_get(enableImportFromDerivation, "allow-import-from-derivation");
|
_get(enableImportFromDerivation, "allow-import-from-derivation");
|
||||||
|
_get(useSandbox, "build-use-sandbox", "build-use-chroot");
|
||||||
|
_get(sandboxPaths, "build-sandbox-paths", "build-chroot-dirs");
|
||||||
|
_get(extraSandboxPaths, "build-extra-sandbox-paths", "build-extra-chroot-dirs");
|
||||||
|
_get(restrictEval, "restrict-eval");
|
||||||
|
_get(buildRepeat, "build-repeat");
|
||||||
|
_get(allowedImpureHostPrefixes, "allowed-impure-host-deps");
|
||||||
|
_get(sandboxShmSize, "sandbox-dev-shm-size");
|
||||||
|
_get(darwinLogSandboxViolations, "darwin-log-sandbox-violations");
|
||||||
|
_get(runDiffHook, "run-diff-hook");
|
||||||
|
_get(diffHook, "diff-hook");
|
||||||
|
_get(enforceDeterminism, "enforce-determinism");
|
||||||
|
_get(binaryCachePublicKeys, "binary-cache-public-keys");
|
||||||
|
_get(secretKeyFiles, "secret-key-files");
|
||||||
|
_get(binaryCachesParallelConnections, "binary-caches-parallel-connections");
|
||||||
|
_get(enableHttp2, "enable-http2");
|
||||||
|
_get(tarballTtl, "tarball-ttl");
|
||||||
|
_get(signedBinaryCaches, "signed-binary-caches");
|
||||||
|
_get(substituters, "substituters");
|
||||||
|
_get(binaryCaches, "binary-caches");
|
||||||
|
_get(extraBinaryCaches, "extra-binary-caches");
|
||||||
|
_get(trustedUsers, "trusted-users");
|
||||||
|
_get(allowedUsers, "allowed-users");
|
||||||
|
_get(printMissing, "print-missing");
|
||||||
|
|
||||||
|
/* Clear out any deprecated options that might be left, so users know we recognize the option
|
||||||
|
but aren't processing it anymore */
|
||||||
|
for (auto &i : deprecatedOptions) {
|
||||||
|
if (settings.find(i) != settings.end()) {
|
||||||
|
printError(format("warning: deprecated option '%1%' is no longer supported and will be ignored") % i);
|
||||||
|
settings.erase(i);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (settings.size() != 0) {
|
||||||
|
string bad;
|
||||||
|
for (auto &i : settings)
|
||||||
|
bad += "'" + i.first + "', ";
|
||||||
|
bad.pop_back();
|
||||||
|
bad.pop_back();
|
||||||
|
throw Error(format("unrecognized options: %s") % bad);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void Settings::checkDeprecated(const string & name)
|
||||||
|
{
|
||||||
|
if (deprecatedOptions.find(name) != deprecatedOptions.end())
|
||||||
|
printError(format("warning: deprecated option '%1%' will soon be unsupported") % name);
|
||||||
|
}
|
||||||
|
|
||||||
void Settings::_get(string & res, const string & name)
|
void Settings::_get(string & res, const string & name)
|
||||||
{
|
{
|
||||||
SettingsMap::iterator i = settings.find(name);
|
SettingsMap::iterator i = settings.find(name);
|
||||||
if (i == settings.end()) return;
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
|
res = i->second;
|
||||||
|
}
|
||||||
|
|
||||||
|
void Settings::_get(string & res, const string & name1, const string & name2)
|
||||||
|
{
|
||||||
|
SettingsMap::iterator i = settings.find(name1);
|
||||||
|
if (i == settings.end()) i = settings.find(name2);
|
||||||
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
res = i->second;
|
res = i->second;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -201,6 +264,8 @@ void Settings::_get(bool & res, const string & name)
|
||||||
{
|
{
|
||||||
SettingsMap::iterator i = settings.find(name);
|
SettingsMap::iterator i = settings.find(name);
|
||||||
if (i == settings.end()) return;
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
if (i->second == "true") res = true;
|
if (i->second == "true") res = true;
|
||||||
else if (i->second == "false") res = false;
|
else if (i->second == "false") res = false;
|
||||||
else throw Error(format("configuration option ‘%1%’ should be either ‘true’ or ‘false’, not ‘%2%’")
|
else throw Error(format("configuration option ‘%1%’ should be either ‘true’ or ‘false’, not ‘%2%’")
|
||||||
|
@ -212,6 +277,20 @@ void Settings::_get(StringSet & res, const string & name)
|
||||||
{
|
{
|
||||||
SettingsMap::iterator i = settings.find(name);
|
SettingsMap::iterator i = settings.find(name);
|
||||||
if (i == settings.end()) return;
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
|
res.clear();
|
||||||
|
Strings ss = tokenizeString<Strings>(i->second);
|
||||||
|
res.insert(ss.begin(), ss.end());
|
||||||
|
}
|
||||||
|
|
||||||
|
void Settings::_get(StringSet & res, const string & name1, const string & name2)
|
||||||
|
{
|
||||||
|
SettingsMap::iterator i = settings.find(name1);
|
||||||
|
if (i == settings.end()) i = settings.find(name2);
|
||||||
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
res.clear();
|
res.clear();
|
||||||
Strings ss = tokenizeString<Strings>(i->second);
|
Strings ss = tokenizeString<Strings>(i->second);
|
||||||
res.insert(ss.begin(), ss.end());
|
res.insert(ss.begin(), ss.end());
|
||||||
|
@ -221,6 +300,8 @@ void Settings::_get(Strings & res, const string & name)
|
||||||
{
|
{
|
||||||
SettingsMap::iterator i = settings.find(name);
|
SettingsMap::iterator i = settings.find(name);
|
||||||
if (i == settings.end()) return;
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
res = tokenizeString<Strings>(i->second);
|
res = tokenizeString<Strings>(i->second);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -229,6 +310,8 @@ template<class N> void Settings::_get(N & res, const string & name)
|
||||||
{
|
{
|
||||||
SettingsMap::iterator i = settings.find(name);
|
SettingsMap::iterator i = settings.find(name);
|
||||||
if (i == settings.end()) return;
|
if (i == settings.end()) return;
|
||||||
|
checkDeprecated(i->first);
|
||||||
|
settings.erase(i);
|
||||||
if (!string2Int(i->second, res))
|
if (!string2Int(i->second, res))
|
||||||
throw Error(format("configuration setting ‘%1%’ should have an integer value") % name);
|
throw Error(format("configuration setting ‘%1%’ should have an integer value") % name);
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,14 +20,6 @@ struct Settings {
|
||||||
|
|
||||||
void set(const string & name, const string & value);
|
void set(const string & name, const string & value);
|
||||||
|
|
||||||
string get(const string & name, const string & def);
|
|
||||||
|
|
||||||
Strings get(const string & name, const Strings & def);
|
|
||||||
|
|
||||||
bool get(const string & name, bool def);
|
|
||||||
|
|
||||||
int get(const string & name, int def);
|
|
||||||
|
|
||||||
void update();
|
void update();
|
||||||
|
|
||||||
string pack();
|
string pack();
|
||||||
|
@ -36,6 +28,10 @@ struct Settings {
|
||||||
|
|
||||||
SettingsMap getOverrides();
|
SettingsMap getOverrides();
|
||||||
|
|
||||||
|
/* TODO: the comments below should be strings and exposed via a nice command-line UI or similar.
|
||||||
|
We should probably replace it with some sort of magic template or macro to minimize the amount
|
||||||
|
of duplication and pain here. */
|
||||||
|
|
||||||
/* The directory where we store sources and derived files. */
|
/* The directory where we store sources and derived files. */
|
||||||
Path nixStore;
|
Path nixStore;
|
||||||
|
|
||||||
|
@ -184,6 +180,75 @@ struct Settings {
|
||||||
/* Whether native-code enabling primops should be enabled */
|
/* Whether native-code enabling primops should be enabled */
|
||||||
bool enableNativeCode;
|
bool enableNativeCode;
|
||||||
|
|
||||||
|
/* Whether to enable sandboxed builds (string until we get an enum for true/false/relaxed) */
|
||||||
|
string useSandbox;
|
||||||
|
|
||||||
|
/* The basic set of paths to expose in a sandbox */
|
||||||
|
PathSet sandboxPaths;
|
||||||
|
|
||||||
|
/* Any extra sandbox paths to expose */
|
||||||
|
PathSet extraSandboxPaths;
|
||||||
|
|
||||||
|
/* Whether to allow certain questionable operations (like fetching) during evaluation */
|
||||||
|
bool restrictEval;
|
||||||
|
|
||||||
|
/* The number of times to repeat a build to check for determinism */
|
||||||
|
int buildRepeat;
|
||||||
|
|
||||||
|
/* Which prefixes to allow derivations to ask for access to (primarily for Darwin) */
|
||||||
|
PathSet allowedImpureHostPrefixes;
|
||||||
|
|
||||||
|
/* The size of /dev/shm in the build sandbox (for Linux) */
|
||||||
|
string sandboxShmSize;
|
||||||
|
|
||||||
|
/* Whether to log Darwin sandbox access violations to the system log */
|
||||||
|
bool darwinLogSandboxViolations;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
bool runDiffHook;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
string diffHook;
|
||||||
|
|
||||||
|
/* Whether to fail if repeated builds produce different output */
|
||||||
|
bool enforceDeterminism;
|
||||||
|
|
||||||
|
/* The known public keys for a binary cache */
|
||||||
|
Strings binaryCachePublicKeys;
|
||||||
|
|
||||||
|
/* Secret keys to use for build output signing */
|
||||||
|
Strings secretKeyFiles;
|
||||||
|
|
||||||
|
/* Number of parallel connections to hit a binary cache with when finding out if it contains hashes */
|
||||||
|
int binaryCachesParallelConnections;
|
||||||
|
|
||||||
|
/* Whether to enable HTTP2 */
|
||||||
|
bool enableHttp2;
|
||||||
|
|
||||||
|
/* How soon to expire tarballs like builtins.fetchTarball and (ugh, bad name) builtins.fetchurl */
|
||||||
|
int tarballTtl;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
string signedBinaryCaches;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
Strings substituters;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
Strings binaryCaches;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
Strings extraBinaryCaches;
|
||||||
|
|
||||||
|
/* Who we trust to ask the daemon to do unsafe things */
|
||||||
|
Strings trustedUsers;
|
||||||
|
|
||||||
|
/* ?Who we trust to use the daemon in safe ways */
|
||||||
|
Strings allowedUsers;
|
||||||
|
|
||||||
|
/* ??? */
|
||||||
|
bool printMissing;
|
||||||
|
|
||||||
/* The hook to run just before a build to set derivation-specific
|
/* The hook to run just before a build to set derivation-specific
|
||||||
build settings */
|
build settings */
|
||||||
Path preBuildHook;
|
Path preBuildHook;
|
||||||
|
@ -199,11 +264,16 @@ struct Settings {
|
||||||
bool enableImportFromDerivation;
|
bool enableImportFromDerivation;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
|
StringSet deprecatedOptions;
|
||||||
SettingsMap settings, overrides;
|
SettingsMap settings, overrides;
|
||||||
|
|
||||||
|
void checkDeprecated(const string & name);
|
||||||
|
|
||||||
void _get(string & res, const string & name);
|
void _get(string & res, const string & name);
|
||||||
|
void _get(string & res, const string & name1, const string & name2);
|
||||||
void _get(bool & res, const string & name);
|
void _get(bool & res, const string & name);
|
||||||
void _get(StringSet & res, const string & name);
|
void _get(StringSet & res, const string & name);
|
||||||
|
void _get(StringSet & res, const string & name1, const string & name2);
|
||||||
void _get(Strings & res, const string & name);
|
void _get(Strings & res, const string & name);
|
||||||
template<class N> void _get(N & res, const string & name);
|
template<class N> void _get(N & res, const string & name);
|
||||||
};
|
};
|
||||||
|
|
|
@ -1333,7 +1333,7 @@ void LocalStore::signPathInfo(ValidPathInfo & info)
|
||||||
{
|
{
|
||||||
// FIXME: keep secret keys in memory.
|
// FIXME: keep secret keys in memory.
|
||||||
|
|
||||||
auto secretKeyFiles = settings.get("secret-key-files", Strings());
|
auto secretKeyFiles = settings.secretKeyFiles;
|
||||||
|
|
||||||
for (auto & secretKeyFile : secretKeyFiles) {
|
for (auto & secretKeyFile : secretKeyFiles) {
|
||||||
SecretKey secretKey(readFile(secretKeyFile));
|
SecretKey secretKey(readFile(secretKeyFile));
|
||||||
|
|
|
@ -79,7 +79,7 @@ public:
|
||||||
private:
|
private:
|
||||||
|
|
||||||
Setting<bool> requireSigs{(Store*) this,
|
Setting<bool> requireSigs{(Store*) this,
|
||||||
trim(settings.get("signed-binary-caches", std::string("*"))) != "",
|
settings.signedBinaryCaches != "", // FIXME
|
||||||
"require-sigs", "whether store paths should have a trusted signature on import"};
|
"require-sigs", "whether store paths should have a trusted signature on import"};
|
||||||
|
|
||||||
PublicKeys publicKeys;
|
PublicKeys publicKeys;
|
||||||
|
|
|
@ -782,14 +782,13 @@ std::list<ref<Store>> getDefaultSubstituters()
|
||||||
state->stores.push_back(openStore(uri));
|
state->stores.push_back(openStore(uri));
|
||||||
};
|
};
|
||||||
|
|
||||||
Strings defaultSubstituters;
|
for (auto uri : settings.substituters)
|
||||||
if (settings.nixStore == "/nix/store")
|
|
||||||
defaultSubstituters.push_back("https://cache.nixos.org/");
|
|
||||||
|
|
||||||
for (auto uri : settings.get("substituters", settings.get("binary-caches", defaultSubstituters)))
|
|
||||||
addStore(uri);
|
addStore(uri);
|
||||||
|
|
||||||
for (auto uri : settings.get("extra-binary-caches", Strings()))
|
for (auto uri : settings.binaryCaches)
|
||||||
|
addStore(uri);
|
||||||
|
|
||||||
|
for (auto uri : settings.extraBinaryCaches)
|
||||||
addStore(uri);
|
addStore(uri);
|
||||||
|
|
||||||
state->done = true;
|
state->done = true;
|
||||||
|
|
|
@ -878,8 +878,8 @@ static void daemonLoop(char * * argv)
|
||||||
struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
|
struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
|
||||||
string group = gr ? gr->gr_name : std::to_string(peer.gid);
|
string group = gr ? gr->gr_name : std::to_string(peer.gid);
|
||||||
|
|
||||||
Strings trustedUsers = settings.get("trusted-users", Strings({"root"}));
|
Strings trustedUsers = settings.trustedUsers;
|
||||||
Strings allowedUsers = settings.get("allowed-users", Strings({"*"}));
|
Strings allowedUsers = settings.allowedUsers;
|
||||||
|
|
||||||
if (matchUser(user, group, trustedUsers))
|
if (matchUser(user, group, trustedUsers))
|
||||||
trusted = true;
|
trusted = true;
|
||||||
|
|
|
@ -145,7 +145,7 @@ static void opRealise(Strings opFlags, Strings opArgs)
|
||||||
unknown = PathSet();
|
unknown = PathSet();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (settings.get("print-missing", true))
|
if (settings.printMissing)
|
||||||
printMissing(ref<Store>(store), willBuild, willSubstitute, unknown, downloadSize, narSize);
|
printMissing(ref<Store>(store), willBuild, willSubstitute, unknown, downloadSize, narSize);
|
||||||
|
|
||||||
if (dryRun) return;
|
if (dryRun) return;
|
||||||
|
|
Loading…
Reference in a new issue