Staging environment for Lix release engineering scripts
Find a file
Eelco Dolstra c4d7c76b64
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.

Example:

  let nixpkgs = fetchTarball channel:nixos-18.03; in

  with import <nixpkgs> {};

  runCommand "foo"
    {
      buildInputs = [ nix jq ];
      NIX_PATH = "nixpkgs=${nixpkgs}";
    }
    ''
      hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')

      $hello/bin/hello

      mkdir -p $out/bin
      ln -s $hello/bin/hello $out/bin/hello

      nix path-info -r --json $hello | jq .
    ''

This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.

  # ll ./result/bin/
  lrwxrwxrwx 1 root root 63 Jan  1  1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello

  # nix-store -qR ./result
  /nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
  /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
  /nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo

This is implemented as follows:

* Before running the outer builder, Nix creates a Unix domain socket
  '.nix-socket' in the builder's temporary directory and sets
  $NIX_REMOTE to point to it. It starts a thread to process
  connections to this socket. (Thus you don't need to have nix-daemon
  running.)

* The daemon thread uses a wrapper store (RestrictedStore) to keep
  track of paths added through recursive Nix calls, to implement some
  restrictions (see below), and to do some censorship (e.g. for
  purity, queryPathInfo() won't return impure information such as
  signatures and timestamps).

* After the build finishes, the output paths are scanned for
  references to the paths added through recursive Nix calls (in
  addition to the inputs closure). Thus, in the example above, $out
  has a reference to $hello.

The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing

  nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10

is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.

Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.

When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.

Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2019-11-06 00:52:38 +01:00
.github Remove .github/FUNDING.yml 2019-07-23 15:21:23 +02:00
config update config/config.{sub,guess} 2018-08-13 20:00:17 +00:00
contrib function-trace: always show the trace 2019-09-18 23:23:21 +02:00
corepkgs nix-channel: Don't fetch binary-cache-url 2019-06-25 13:27:16 +02:00
doc/manual Fix manual build 2019-11-05 11:21:32 +01:00
m4 autoconf: Fix C++17 detection not working on Ubuntu 16.04. 2019-07-03 04:32:25 +02:00
maintainers upload-release.pl: Fix sshfs call 2019-09-04 21:44:40 +02:00
misc Make nix-daemon.plist less fragile on macOS 2019-10-09 12:52:01 +01:00
mk mk: add support for passing LDFLAGS to libs and bins 2019-07-03 04:32:25 +02:00
perl autoconf: Allow overriding CFLAGS/CXXFLAGS from outside. 2019-07-03 04:32:25 +02:00
scripts install-multi-user.sh: Remove unused variables 2019-10-23 21:24:21 +02:00
src Recursive Nix support 2019-11-06 00:52:38 +01:00
tests Fix VM tests 2019-11-05 11:12:25 +01:00
.dir-locals.el Add .dir-locals.el for Emacs 2016-01-28 11:12:04 +01:00
.editorconfig Add .editorconfig 2017-06-05 22:57:28 +01:00
.gitignore Treat plain derivation paths in context as normal paths. 2019-01-13 11:29:55 -05:00
.travis.yml travis: enable linux builds 2019-10-31 16:37:33 +00:00
.version Bump version 2019-09-04 15:59:33 +02:00
bootstrap.sh bootstrap: Simplify & make more robust. 2011-09-06 12:11:05 +00:00
configure.ac Make --enable-gc the default 2019-11-06 00:46:37 +01:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
local.mk Merge all nix-* binaries into nix 2018-10-26 12:54:00 +02:00
Makefile autoconf: Allow overriding CFLAGS/CXXFLAGS from outside. 2019-07-03 04:32:25 +02:00
Makefile.config.in Get BOOST_LDFLAGS from autoconf, fix Ubuntu 16.04 build. 2019-07-03 04:32:25 +02:00
nix.spec.in Remove world-writability from per-user directories 2019-10-09 23:34:48 +02:00
README.md Add Open Collective 2019-07-18 10:57:26 +02:00
release-common.nix Make --enable-gc the default 2019-11-06 00:46:37 +01:00
release.nix Make --enable-gc the default 2019-11-06 00:46:37 +01:00
shell.nix Switch to nixpkgs 19.09 2019-10-25 07:23:05 -04:00

Open Collective supporters

Nix, the purely functional package manager

Nix is a new take on package management that is fairly unique. Because of its purity aspects, a lot of issues found in traditional package managers don't appear with Nix.

To find out more about the tool, usage and installation instructions, please read the manual, which is available on the Nix website at http://nixos.org/nix/manual.

Contributing

Take a look at the Hacking Section of the manual. It helps you to get started with building Nix from source.

License

Nix is released under the LGPL v2.1

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.