Fix it!
This commit is contained in:
parent
c036de086e
commit
6e1e15ffec
8 changed files with 48 additions and 29 deletions
|
@ -290,14 +290,19 @@ connected:
|
||||||
auto drv = store->readDerivation(*drvPath);
|
auto drv = store->readDerivation(*drvPath);
|
||||||
|
|
||||||
std::optional<BuildResult> optResult;
|
std::optional<BuildResult> optResult;
|
||||||
if (sshStore->isTrustedClient() || drv.type().isCA()) {
|
// If we don't know whether we are trusted (e.g. `ssh://`
|
||||||
// Hijack the inputs paths of the derivation to include all the paths
|
// stores), we assume we are. This is neccessary for backwards
|
||||||
// that come from the `inputDrvs` set.
|
// compat.
|
||||||
// We don’t do that for the derivations whose `inputDrvs` is empty
|
if (std::optional trust = sshStore->isTrustedClient(); (!trust || *trust) || drv.type().isCA()) {
|
||||||
// because
|
// Hijack the inputs paths of the derivation to include all
|
||||||
|
// the paths that come from the `inputDrvs` set. We don’t do
|
||||||
|
// that for the derivations whose `inputDrvs` is empty
|
||||||
|
// because:
|
||||||
|
//
|
||||||
// 1. It’s not needed
|
// 1. It’s not needed
|
||||||
// 2. Changing the `inputSrcs` set changes the associated output ids,
|
//
|
||||||
// which break CA derivations
|
// 2. Changing the `inputSrcs` set changes the associated
|
||||||
|
// output ids, which break CA derivations
|
||||||
if (!drv.inputDrvs.empty())
|
if (!drv.inputDrvs.empty())
|
||||||
drv.inputSrcs = store->parseStorePathSet(inputs);
|
drv.inputSrcs = store->parseStorePathSet(inputs);
|
||||||
optResult = sshStore->buildDerivation(*drvPath, (const BasicDerivation &) drv);
|
optResult = sshStore->buildDerivation(*drvPath, (const BasicDerivation &) drv);
|
||||||
|
|
2
tests/build-remote-trustless-after.sh
Normal file
2
tests/build-remote-trustless-after.sh
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
outPath=$(readlink -f $TEST_ROOT/result)
|
||||||
|
grep 'FOO BAR BAZ' ${remoteDir}/${outPath}
|
|
@ -1,11 +1,25 @@
|
||||||
source common.sh
|
source common.sh
|
||||||
|
|
||||||
# We act as if remote trusts us, but it doesn't. This fails since we are
|
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
||||||
# building input-addressed derivations with `buildDerivation`, which
|
|
||||||
# depends on trust.
|
unset NIX_STORE_DIR
|
||||||
|
unset NIX_STATE_DIR
|
||||||
|
|
||||||
|
# We first build a dependency of the derivation we eventually want to
|
||||||
|
# build.
|
||||||
|
nix-build build-hook.nix -A passthru.input2 \
|
||||||
|
-o "$TEST_ROOT/input2" \
|
||||||
|
--arg busybox "$busybox" \
|
||||||
|
--store "$TEST_ROOT/local" \
|
||||||
|
--option system-features bar
|
||||||
|
|
||||||
|
# Now when we go to build that downstream derivation, Nix will try to
|
||||||
|
# copy our already-build `input2` to the remote store. That store object
|
||||||
|
# is input-addressed, so this will fail.
|
||||||
|
|
||||||
file=build-hook.nix
|
file=build-hook.nix
|
||||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||||
proto=ssh-ng
|
proto=ssh-ng
|
||||||
trusting=true
|
|
||||||
|
|
||||||
! source build-remote-trustless.sh
|
expectStderr 1 source build-remote-trustless.sh \
|
||||||
|
| grepQuiet "cannot add path '[^ ]*' because it lacks a signature by a trusted key"
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
source common.sh
|
source common.sh
|
||||||
|
|
||||||
# Remote trusts us but we pretend it doesn't.
|
# Remote trusts us
|
||||||
file=build-hook.nix
|
file=build-hook.nix
|
||||||
prog=nix-store
|
prog=nix-store
|
||||||
proto=ssh
|
proto=ssh
|
||||||
trusting=false
|
|
||||||
|
|
||||||
source build-remote-trustless.sh
|
source build-remote-trustless.sh
|
||||||
|
source build-remote-trustless-after.sh
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
source common.sh
|
source common.sh
|
||||||
|
|
||||||
# Remote trusts us but we pretend it doesn't.
|
# Remote trusts us
|
||||||
file=build-hook.nix
|
file=build-hook.nix
|
||||||
prog=nix-daemon
|
prog=nix-daemon
|
||||||
proto=ssh-ng
|
proto=ssh-ng
|
||||||
trusting=false
|
|
||||||
|
|
||||||
source build-remote-trustless.sh
|
source build-remote-trustless.sh
|
||||||
|
source build-remote-trustless-after.sh
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
source common.sh
|
source common.sh
|
||||||
|
|
||||||
# Remote doesn't trust us nor do we think it does
|
# Remote doesn't trust us
|
||||||
file=build-hook.nix
|
file=build-hook.nix
|
||||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||||
proto=ssh-ng
|
proto=ssh-ng
|
||||||
trusting=false
|
|
||||||
|
|
||||||
source build-remote-trustless.sh
|
source build-remote-trustless.sh
|
||||||
|
source build-remote-trustless-after.sh
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
source common.sh
|
source common.sh
|
||||||
|
|
||||||
# We act as if remote trusts us, but it doesn't. This is fine because we
|
# Remote doesn't trusts us, but this is fine because we are only
|
||||||
# are only building (fixed) CA derivations.
|
# building (fixed) CA derivations.
|
||||||
file=build-hook-ca-fixed.nix
|
file=build-hook-ca-fixed.nix
|
||||||
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
prog=$(readlink -e ./nix-daemon-untrusting.sh)
|
||||||
proto=ssh-ng
|
proto=ssh-ng
|
||||||
trusting=true
|
|
||||||
|
|
||||||
source build-remote-trustless.sh
|
source build-remote-trustless.sh
|
||||||
|
source build-remote-trustless-after.sh
|
||||||
|
|
|
@ -1,16 +1,14 @@
|
||||||
if ! canUseSandbox; then exit; fi
|
requireSandboxSupport
|
||||||
if ! [[ $busybox =~ busybox ]]; then exit; fi
|
[[ $busybox =~ busybox ]] || skipTest "no busybox"
|
||||||
|
|
||||||
unset NIX_STORE_DIR
|
unset NIX_STORE_DIR
|
||||||
unset NIX_STATE_DIR
|
unset NIX_STATE_DIR
|
||||||
|
|
||||||
|
remoteDir=$TEST_ROOT/remote
|
||||||
|
|
||||||
# Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for
|
# Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for
|
||||||
# more details.
|
# more details.
|
||||||
nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \
|
nix-build $file -o $TEST_ROOT/result --max-jobs 0 \
|
||||||
--arg busybox $busybox \
|
--arg busybox $busybox \
|
||||||
--store $TEST_ROOT/local \
|
--store $TEST_ROOT/local \
|
||||||
--builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
|
--builders "$proto://localhost?remote-program=$prog&remote-store=${remoteDir}%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
|
||||||
|
|
||||||
outPath=$(readlink -f $TEST_ROOT/result)
|
|
||||||
|
|
||||||
grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}
|
|
||||||
|
|
Loading…
Reference in a new issue