2020-10-12 17:08:52 +00:00
# include "derivation-goal.hh"
# include "hook-instance.hh"
# include "worker.hh"
2015-07-20 02:30:16 +00:00
# include "builtins.hh"
2019-10-21 15:17:15 +00:00
# include "builtins/buildenv.hh"
2020-10-11 16:19:10 +00:00
# include "references.hh"
2016-04-29 11:57:08 +00:00
# include "finally.hh"
2020-10-11 16:19:10 +00:00
# include "util.hh"
# include "archive.hh"
exportReferencesGraph: Export more complete info in JSON format
This writes info about every path in the closure in the same format as
‘nix path-info --json’. Thus it also includes NAR hashes and sizes.
Example:
[
{
"path": "/nix/store/10h6li26i7g6z3mdpvra09yyf10mmzdr-hello-2.10",
"narHash": "sha256:0ckdc4z20kkmpqdilx0wl6cricxv90lh85xpv2qljppcmz6vzcxl",
"narSize": 197648,
"references": [
"/nix/store/10h6li26i7g6z3mdpvra09yyf10mmzdr-hello-2.10",
"/nix/store/27binbdy296qvjycdgr1535v8872vz3z-glibc-2.24"
],
"closureSize": 20939776
},
{
"path": "/nix/store/27binbdy296qvjycdgr1535v8872vz3z-glibc-2.24",
"narHash": "sha256:1nfn3m3p98y1c0kd0brp80dn9n5mycwgrk183j17rajya0h7gax3",
"narSize": 20742128,
"references": [
"/nix/store/27binbdy296qvjycdgr1535v8872vz3z-glibc-2.24"
],
"closureSize": 20742128
}
]
Fixes #1134.
2017-01-26 19:36:20 +00:00
# include "json.hh"
2020-10-11 16:19:10 +00:00
# include "compression.hh"
2019-12-05 18:11:09 +00:00
# include "worker-protocol.hh"
2020-08-07 19:09:26 +00:00
# include "topo-sort.hh"
2020-09-21 16:40:11 +00:00
# include "callback.hh"
2021-02-26 15:20:33 +00:00
# include "local-store.hh" // TODO remove, along with remaining downcasts
2006-09-04 21:06:23 +00:00
2020-10-12 17:08:52 +00:00
# include <regex>
# include <queue>
2004-05-11 18:05:44 +00:00
# include <sys/types.h>
2018-06-12 11:05:14 +00:00
# include <sys/socket.h>
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
# include <sys/un.h>
2021-04-19 18:31:58 +00:00
# include <sys/wait.h>
2018-06-12 11:05:14 +00:00
# include <netdb.h>
2020-10-11 16:19:10 +00:00
# include <fcntl.h>
2019-05-17 20:29:15 +00:00
# include <termios.h>
2020-10-11 16:19:10 +00:00
# include <unistd.h>
# include <sys/mman.h>
# include <sys/utsname.h>
# include <sys/resource.h>
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
# if HAVE_STATVFS
# include <sys/statvfs.h>
# endif
2005-10-17 15:33:24 +00:00
2015-12-03 15:30:19 +00:00
/* Includes required for chroot support. */
# if __linux__
2012-06-23 04:28:35 +00:00
# include <sys/socket.h>
# include <sys/ioctl.h>
# include <net/if.h>
# include <netinet/ip.h>
2009-01-12 16:30:32 +00:00
# include <sys/personality.h>
2015-10-21 12:45:56 +00:00
# include <sys/mman.h>
2015-12-03 15:30:19 +00:00
# include <sched.h>
# include <sys/param.h>
# include <sys/mount.h>
# include <sys/syscall.h>
2018-02-18 07:35:01 +00:00
# if HAVE_SECCOMP
2017-05-29 09:34:24 +00:00
# include <seccomp.h>
2018-02-18 07:35:01 +00:00
# endif
2015-12-03 15:30:19 +00:00
# define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
2009-01-12 16:30:32 +00:00
# endif
2020-12-03 21:41:59 +00:00
# if __APPLE__
# include <spawn.h>
2021-01-12 04:05:32 +00:00
# include <sys/sysctl.h>
2020-12-03 21:41:59 +00:00
# endif
2020-10-11 16:19:10 +00:00
# include <pwd.h>
# include <grp.h>
2014-02-17 13:15:56 +00:00
2017-10-25 11:01:50 +00:00
# include <nlohmann/json.hpp>
2006-09-04 21:06:23 +00:00
namespace nix {
2020-10-11 16:19:10 +00:00
DerivationGoal : : DerivationGoal ( const StorePath & drvPath ,
const StringSet & wantedOutputs , Worker & worker , BuildMode buildMode )
: Goal ( worker )
, useDerivation ( true )
, drvPath ( drvPath )
, wantedOutputs ( wantedOutputs )
, buildMode ( buildMode )
{
state = & DerivationGoal : : getDerivation ;
name = fmt (
" building of '%s' from .drv file " ,
2021-04-05 13:48:18 +00:00
DerivedPath : : Built { drvPath , wantedOutputs } . to_string ( worker . store ) ) ;
2020-10-11 16:19:10 +00:00
trace ( " created " ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
mcExpectedBuilds = std : : make_unique < MaintainCount < uint64_t > > ( worker . expectedBuilds ) ;
worker . updateProgress ( ) ;
}
2004-06-18 18:09:32 +00:00
2014-11-24 15:48:04 +00:00
2020-10-11 16:19:10 +00:00
DerivationGoal : : DerivationGoal ( const StorePath & drvPath , const BasicDerivation & drv ,
const StringSet & wantedOutputs , Worker & worker , BuildMode buildMode )
: Goal ( worker )
, useDerivation ( false )
, drvPath ( drvPath )
, wantedOutputs ( wantedOutputs )
, buildMode ( buildMode )
{
2021-02-23 13:12:11 +00:00
this - > drv = std : : make_unique < Derivation > ( drv ) ;
2021-02-04 13:41:49 +00:00
2020-10-11 16:19:10 +00:00
state = & DerivationGoal : : haveDerivation ;
name = fmt (
" building of '%s' from in-memory derivation " ,
2021-04-05 13:48:18 +00:00
DerivedPath : : Built { drvPath , drv . outputNames ( ) } . to_string ( worker . store ) ) ;
2020-10-11 16:19:10 +00:00
trace ( " created " ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
mcExpectedBuilds = std : : make_unique < MaintainCount < uint64_t > > ( worker . expectedBuilds ) ;
worker . updateProgress ( ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* Prevent the .chroot directory from being
garbage - collected . ( See isActiveTempFile ( ) in gc . cc . ) */
worker . store . addTempRoot ( this - > drvPath ) ;
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
DerivationGoal : : ~ DerivationGoal ( )
2004-06-18 18:09:32 +00:00
{
2020-10-11 16:19:10 +00:00
/* Careful: we should never ever throw an exception from a
destructor . */
try { closeLogFile ( ) ; } catch ( . . . ) { ignoreException ( ) ; }
}
2004-06-18 18:09:32 +00:00
2004-06-25 15:36:09 +00:00
2020-10-12 17:08:52 +00:00
string DerivationGoal : : key ( )
{
/* Ensure that derivations get built in order of their name,
i . e . a derivation named " aardvark " always comes before
" baboon " . And substitution goals always happen before
derivation goals ( due to " b$ " ) . */
return " b$ " + std : : string ( drvPath . name ( ) ) + " $ " + worker . store . printStorePath ( drvPath ) ;
}
2020-10-11 16:19:10 +00:00
void DerivationGoal : : killChild ( )
{
hook . reset ( ) ;
}
2005-02-23 11:19:27 +00:00
2020-06-15 17:25:35 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : timedOut ( Error & & ex )
{
killChild ( ) ;
done ( BuildResult : : TimedOut , ex ) ;
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : work ( )
{
( this - > * state ) ( ) ;
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : addWantedOutputs ( const StringSet & outputs )
{
/* If we already want all outputs, there is nothing to do. */
if ( wantedOutputs . empty ( ) ) return ;
2004-06-25 10:21:44 +00:00
2020-10-11 16:19:10 +00:00
if ( outputs . empty ( ) ) {
wantedOutputs . clear ( ) ;
needRestart = true ;
} else
for ( auto & i : outputs )
if ( wantedOutputs . insert ( i ) . second )
needRestart = true ;
}
2005-10-17 15:33:24 +00:00
2004-06-29 09:41:50 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : getDerivation ( )
{
trace ( " init " ) ;
2005-02-18 09:50:20 +00:00
2020-10-11 16:19:10 +00:00
/* The first thing to do is to make sure that the derivation
exists . If it doesn ' t , it may be created through a
substitute . */
if ( buildMode = = bmNormal & & worker . store . isValidPath ( drvPath ) ) {
loadDerivation ( ) ;
return ;
2005-02-18 09:50:20 +00:00
}
2012-07-27 13:59:18 +00:00
2020-11-09 12:47:06 +00:00
addWaitee ( upcast_goal ( worker . makePathSubstitutionGoal ( drvPath ) ) ) ;
2006-12-08 17:26:21 +00:00
2020-10-11 16:19:10 +00:00
state = & DerivationGoal : : loadDerivation ;
}
2014-11-24 15:48:04 +00:00
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : loadDerivation ( )
{
trace ( " loading derivation " ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
if ( nrFailed ! = 0 ) {
done ( BuildResult : : MiscFailure , Error ( " cannot build missing derivation '%s' " , worker . store . printStorePath ( drvPath ) ) ) ;
return ;
}
2014-11-24 15:48:04 +00:00
2020-10-11 16:19:10 +00:00
/* `drvPath' should already be a root, but let's be on the safe
side : if the user forgot to make it a root , we wouldn ' t want
things being garbage collected while we ' re busy . */
worker . store . addTempRoot ( drvPath ) ;
2014-11-24 15:48:04 +00:00
2020-10-11 16:19:10 +00:00
assert ( worker . store . isValidPath ( drvPath ) ) ;
2016-12-06 20:58:04 +00:00
2020-10-11 16:19:10 +00:00
/* Get the derivation. */
2021-02-26 11:35:29 +00:00
drv = std : : make_unique < Derivation > ( worker . store . derivationFromPath ( drvPath ) ) ;
2016-12-06 20:58:04 +00:00
2020-10-11 16:19:10 +00:00
haveDerivation ( ) ;
}
2004-06-19 21:45:04 +00:00
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : haveDerivation ( )
2004-06-18 18:09:32 +00:00
{
2020-10-11 16:19:10 +00:00
trace ( " have derivation " ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
if ( drv - > type ( ) = = DerivationType : : CAFloating )
settings . requireExperimentalFeature ( " ca-derivations " ) ;
2004-06-25 15:36:09 +00:00
2020-10-11 16:19:10 +00:00
retrySubstitution = false ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
for ( auto & i : drv - > outputsAndOptPaths ( worker . store ) )
if ( i . second . second )
worker . store . addTempRoot ( * i . second . second ) ;
2004-06-18 18:09:32 +00:00
2021-02-23 13:12:11 +00:00
auto outputHashes = staticOutputHashes ( worker . store , * drv ) ;
for ( auto & [ outputName , outputHash ] : outputHashes )
initialOutputs . insert ( {
outputName ,
InitialOutput {
. wanted = true , // Will be refined later
. outputHash = outputHash
}
} ) ;
2020-10-11 16:19:10 +00:00
/* Check what outputs paths are not already valid. */
checkPathValidity ( ) ;
bool allValid = true ;
for ( auto & [ _ , status ] : initialOutputs ) {
if ( ! status . wanted ) continue ;
if ( ! status . known | | ! status . known - > isValid ( ) ) {
allValid = false ;
break ;
}
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* If they are all valid, then we're done. */
if ( allValid & & buildMode = = bmNormal ) {
done ( BuildResult : : AlreadyValid ) ;
return ;
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
parsedDrv = std : : make_unique < ParsedDerivation > ( drvPath , * drv ) ;
2004-06-19 21:45:04 +00:00
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* We are first going to try to create the invalid output paths
through substitutes . If that doesn ' t work , we ' ll build
them . */
if ( settings . useSubstitutes & & parsedDrv - > substitutesAllowed ( ) )
2020-11-09 14:40:10 +00:00
for ( auto & [ outputName , status ] : initialOutputs ) {
2020-10-11 16:19:10 +00:00
if ( ! status . wanted ) continue ;
2020-11-09 14:40:10 +00:00
if ( ! status . known )
addWaitee (
upcast_goal (
worker . makeDrvOutputSubstitutionGoal (
DrvOutput { status . outputHash , outputName } ,
buildMode = = bmRepair ? Repair : NoRepair
)
)
) ;
else
addWaitee ( upcast_goal ( worker . makePathSubstitutionGoal (
status . known - > path ,
buildMode = = bmRepair ? Repair : NoRepair ,
getDerivationCA ( * drv ) ) ) ) ;
2020-10-11 16:19:10 +00:00
}
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
if ( waitees . empty ( ) ) /* to prevent hang (no wake-up event) */
outputsSubstitutionTried ( ) ;
else
state = & DerivationGoal : : outputsSubstitutionTried ;
}
2009-03-23 01:05:54 +00:00
2011-06-30 15:19:13 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : outputsSubstitutionTried ( )
{
trace ( " all outputs substituted (maybe) " ) ;
2016-04-08 16:07:13 +00:00
2020-10-11 16:19:10 +00:00
if ( nrFailed > 0 & & nrFailed > nrNoSubstituters + nrIncompleteClosure & & ! settings . tryFallback ) {
done ( BuildResult : : TransientFailure ,
fmt ( " some substitutes for the outputs of derivation '%s' failed (usually happens due to networking issues); try '--fallback' to build derivation from source " ,
worker . store . printStorePath ( drvPath ) ) ) ;
return ;
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* If the substitutes form an incomplete closure, then we should
build the dependencies of this derivation , but after that , we
2020-10-18 12:21:53 +00:00
can still use the substitutes for this derivation itself .
If the nrIncompleteClosure ! = nrFailed , we have another issue as well .
In particular , it may be the case that the hole in the closure is
an output of the current derivation , which causes a loop if retried .
*/
if ( nrIncompleteClosure > 0 & & nrIncompleteClosure = = nrFailed ) retrySubstitution = true ;
2017-08-14 18:14:55 +00:00
2020-10-11 16:19:10 +00:00
nrFailed = nrNoSubstituters = nrIncompleteClosure = 0 ;
2010-12-13 16:53:23 +00:00
2020-10-11 16:19:10 +00:00
if ( needRestart ) {
needRestart = false ;
haveDerivation ( ) ;
return ;
2017-08-14 18:14:55 +00:00
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
checkPathValidity ( ) ;
size_t nrInvalid = 0 ;
for ( auto & [ _ , status ] : initialOutputs ) {
if ( ! status . wanted ) continue ;
if ( ! status . known | | ! status . known - > isValid ( ) )
nrInvalid + + ;
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
if ( buildMode = = bmNormal & & nrInvalid = = 0 ) {
done ( BuildResult : : Substituted ) ;
return ;
}
if ( buildMode = = bmRepair & & nrInvalid = = 0 ) {
repairClosure ( ) ;
return ;
}
if ( buildMode = = bmCheck & & nrInvalid > 0 )
throw Error ( " some outputs of '%s' are not valid, so checking is not possible " ,
worker . store . printStorePath ( drvPath ) ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* Nothing to wait for; tail call */
gaveUpOnSubstitution ( ) ;
2014-03-29 23:49:23 +00:00
}
2020-10-11 16:19:10 +00:00
/* At least one of the output paths could not be
produced using a substitute . So we have to build instead . */
void DerivationGoal : : gaveUpOnSubstitution ( )
2004-06-18 18:09:32 +00:00
{
2020-10-11 16:19:10 +00:00
/* Make sure checkPathValidity() from now on checks all
outputs . */
wantedOutputs . clear ( ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* The inputs must be built before we can build this goal. */
if ( useDerivation )
for ( auto & i : dynamic_cast < Derivation * > ( drv . get ( ) ) - > inputDrvs )
addWaitee ( worker . makeDerivationGoal ( i . first , i . second , buildMode = = bmRepair ? bmRepair : bmNormal ) ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
for ( auto & i : drv - > inputSrcs ) {
if ( worker . store . isValidPath ( i ) ) continue ;
if ( ! settings . useSubstitutes )
throw Error ( " dependency '%s' of '%s' does not exist, and substitution is disabled " ,
worker . store . printStorePath ( i ) , worker . store . printStorePath ( drvPath ) ) ;
2020-11-09 12:47:06 +00:00
addWaitee ( upcast_goal ( worker . makePathSubstitutionGoal ( i ) ) ) ;
2020-10-11 16:19:10 +00:00
}
2005-02-18 09:50:20 +00:00
2020-10-11 16:19:10 +00:00
if ( waitees . empty ( ) ) /* to prevent hang (no wake-up event) */
inputsRealised ( ) ;
else
state = & DerivationGoal : : inputsRealised ;
}
2012-07-27 13:59:18 +00:00
2012-07-08 22:39:24 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : repairClosure ( )
{
/* If we're repairing, we now know that our own outputs are valid.
Now check whether the other paths in the outputs closure are
good . If not , then start derivation goals for the derivations
that produced those outputs . */
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
/* Get the output closure. */
auto outputs = queryDerivationOutputMap ( ) ;
StorePathSet outputClosure ;
for ( auto & i : outputs ) {
if ( ! wantOutput ( i . first , wantedOutputs ) ) continue ;
worker . store . computeFSClosure ( i . second , outputClosure ) ;
}
2013-01-02 11:38:28 +00:00
2020-10-11 16:19:10 +00:00
/* Filter out our own outputs (which we have already checked). */
for ( auto & i : outputs )
outputClosure . erase ( i . second ) ;
2004-06-28 10:42:57 +00:00
2020-10-11 16:19:10 +00:00
/* Get all dependencies of this derivation so that we know which
derivation is responsible for which path in the output
closure . */
StorePathSet inputClosure ;
if ( useDerivation ) worker . store . computeFSClosure ( drvPath , inputClosure ) ;
std : : map < StorePath , StorePath > outputsToDrv ;
for ( auto & i : inputClosure )
if ( i . isDerivation ( ) ) {
auto depOutputs = worker . store . queryPartialDerivationOutputMap ( i ) ;
for ( auto & j : depOutputs )
if ( j . second )
outputsToDrv . insert_or_assign ( * j . second , i ) ;
2004-06-28 10:42:57 +00:00
}
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* Check each path (slow!). */
for ( auto & i : outputClosure ) {
if ( worker . pathContentsGood ( i ) ) continue ;
2021-01-20 23:27:36 +00:00
printError (
" found corrupted or missing path '%s' in the output closure of '%s' " ,
worker . store . printStorePath ( i ) , worker . store . printStorePath ( drvPath ) ) ;
2020-10-11 16:19:10 +00:00
auto drvPath2 = outputsToDrv . find ( i ) ;
if ( drvPath2 = = outputsToDrv . end ( ) )
2020-11-09 12:47:06 +00:00
addWaitee ( upcast_goal ( worker . makePathSubstitutionGoal ( i , Repair ) ) ) ;
2020-06-15 17:25:35 +00:00
else
2020-10-11 16:19:10 +00:00
addWaitee ( worker . makeDerivationGoal ( drvPath2 - > second , StringSet ( ) , bmRepair ) ) ;
2020-06-15 17:25:35 +00:00
}
2020-10-11 16:19:10 +00:00
if ( waitees . empty ( ) ) {
done ( BuildResult : : AlreadyValid ) ;
return ;
2004-06-25 15:36:09 +00:00
}
2020-10-11 16:19:10 +00:00
state = & DerivationGoal : : closureRepaired ;
2004-06-18 18:09:32 +00:00
}
2020-10-11 16:19:10 +00:00
void DerivationGoal : : closureRepaired ( )
2004-06-25 15:36:09 +00:00
{
2020-10-11 16:19:10 +00:00
trace ( " closure repaired " ) ;
if ( nrFailed > 0 )
throw Error ( " some paths in the output closure of derivation '%s' could not be repaired " ,
worker . store . printStorePath ( drvPath ) ) ;
done ( BuildResult : : AlreadyValid ) ;
2004-06-25 15:36:09 +00:00
}
2020-10-11 16:19:10 +00:00
void DerivationGoal : : inputsRealised ( )
2019-05-10 20:39:31 +00:00
{
2020-10-11 16:19:10 +00:00
trace ( " all inputs realised " ) ;
2019-05-11 20:35:53 +00:00
2020-10-11 16:19:10 +00:00
if ( nrFailed ! = 0 ) {
if ( ! useDerivation )
throw Error ( " some dependencies of '%s' are missing " , worker . store . printStorePath ( drvPath ) ) ;
done ( BuildResult : : DependencyFailed , Error (
" %s dependencies of derivation '%s' failed to build " ,
nrFailed , worker . store . printStorePath ( drvPath ) ) ) ;
return ;
2019-05-10 20:39:31 +00:00
}
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
if ( retrySubstitution ) {
haveDerivation ( ) ;
return ;
}
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
/* Gather information necessary for computing the closure and/or
running the build hook . */
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
/* Determine the full set of input paths. */
2006-12-07 16:33:31 +00:00
2020-10-11 16:19:10 +00:00
/* First, the input derivations. */
if ( useDerivation ) {
auto & fullDrv = * dynamic_cast < Derivation * > ( drv . get ( ) ) ;
2006-12-07 00:16:07 +00:00
2020-10-20 13:14:02 +00:00
if ( settings . isExperimentalFeatureEnabled ( " ca-derivations " ) & &
( ( ! fullDrv . inputDrvs . empty ( ) & & derivationIsCA ( fullDrv . type ( ) ) )
| | fullDrv . type ( ) = = DerivationType : : DeferredInputAddressed ) ) {
2020-10-11 16:19:10 +00:00
/* We are be able to resolve this derivation based on the
now - known results of dependencies . If so , we become a stub goal
aliasing that resolved derivation goal */
std : : optional attempt = fullDrv . tryResolve ( worker . store ) ;
assert ( attempt ) ;
Derivation drvResolved { * std : : move ( attempt ) } ;
2020-05-08 09:22:39 +00:00
2020-10-11 16:19:10 +00:00
auto pathResolved = writeDerivation ( worker . store , drvResolved ) ;
2021-01-27 09:03:05 +00:00
resolvedDrv = drvResolved ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
auto msg = fmt ( " Resolved derivation: '%s' -> '%s' " ,
worker . store . printStorePath ( drvPath ) ,
worker . store . printStorePath ( pathResolved ) ) ;
act = std : : make_unique < Activity > ( * logger , lvlInfo , actBuildWaiting , msg ,
Logger : : Fields {
worker . store . printStorePath ( drvPath ) ,
worker . store . printStorePath ( pathResolved ) ,
} ) ;
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
auto resolvedGoal = worker . makeDerivationGoal (
pathResolved , wantedOutputs , buildMode ) ;
addWaitee ( resolvedGoal ) ;
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
state = & DerivationGoal : : resolvedFinished ;
return ;
}
2020-05-05 10:04:36 +00:00
2020-10-11 16:19:10 +00:00
for ( auto & [ depDrvPath , wantedDepOutputs ] : fullDrv . inputDrvs ) {
/* Add the relevant output closures of the input derivation
` i ' as input paths . Only add the closures of output paths
that are specified as inputs . */
assert ( worker . store . isValidPath ( drvPath ) ) ;
auto outputs = worker . store . queryPartialDerivationOutputMap ( depDrvPath ) ;
for ( auto & j : wantedDepOutputs ) {
if ( outputs . count ( j ) > 0 ) {
auto optRealizedInput = outputs . at ( j ) ;
if ( ! optRealizedInput )
throw Error (
" derivation '%s' requires output '%s' from input derivation '%s', which is supposedly realized already, yet we still don't know what path corresponds to that output " ,
2021-01-07 10:21:43 +00:00
worker . store . printStorePath ( drvPath ) , j , worker . store . printStorePath ( depDrvPath ) ) ;
2020-10-11 16:19:10 +00:00
worker . store . computeFSClosure ( * optRealizedInput , inputPaths ) ;
} else
throw Error (
" derivation '%s' requires non-existent output '%s' from input derivation '%s' " ,
2021-01-07 10:21:43 +00:00
worker . store . printStorePath ( drvPath ) , j , worker . store . printStorePath ( depDrvPath ) ) ;
2020-10-11 16:19:10 +00:00
}
}
2006-12-06 20:00:15 +00:00
}
2020-10-11 16:19:10 +00:00
/* Second, the input sources. */
worker . store . computeFSClosure ( drv - > inputSrcs , inputPaths ) ;
2009-09-23 17:05:51 +00:00
2020-10-11 16:19:10 +00:00
debug ( " added input paths %s " , worker . store . showPaths ( inputPaths ) ) ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
/* What type of derivation are we building? */
derivationType = drv - > type ( ) ;
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
/* Don't repeat fixed-output derivations since they're already
verified by their output hash . */
nrRounds = derivationIsFixed ( derivationType ) ? 1 : settings . buildRepeat + 1 ;
2005-10-20 16:58:34 +00:00
2020-10-11 16:19:10 +00:00
/* Okay, try to build. Note that here we don't wait for a build
slot to become available , since we don ' t need one if there is a
build hook . */
state = & DerivationGoal : : tryToBuild ;
worker . wakeUp ( shared_from_this ( ) ) ;
2006-12-07 00:19:27 +00:00
2020-10-11 16:19:10 +00:00
result = BuildResult ( ) ;
}
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : started ( ) {
auto msg = fmt (
buildMode = = bmRepair ? " repairing outputs of '%s' " :
buildMode = = bmCheck ? " checking outputs of '%s' " :
nrRounds > 1 ? " building '%s' (round %d/%d) " :
" building '%s' " , worker . store . printStorePath ( drvPath ) , curRound , nrRounds ) ;
fmt ( " building '%s' " , worker . store . printStorePath ( drvPath ) ) ;
if ( hook ) msg + = fmt ( " on '%s' " , machineName ) ;
act = std : : make_unique < Activity > ( * logger , lvlInfo , actBuild , msg ,
Logger : : Fields { worker . store . printStorePath ( drvPath ) , hook ? machineName : " " , curRound , nrRounds } ) ;
mcRunningBuilds = std : : make_unique < MaintainCount < uint64_t > > ( worker . runningBuilds ) ;
worker . updateProgress ( ) ;
2006-12-07 14:14:35 +00:00
}
2020-10-11 16:19:10 +00:00
void DerivationGoal : : tryToBuild ( )
2010-08-25 20:44:28 +00:00
{
2020-10-11 16:19:10 +00:00
trace ( " trying to build " ) ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
/* Obtain locks on all output paths, if the paths are known a priori.
2010-08-25 20:44:28 +00:00
2020-10-11 16:19:10 +00:00
The locks are automatically released when we exit this function or Nix
crashes . If we can ' t acquire the lock , then continue ; hopefully some
other goal can start a build , and if not , the main loop will sleep a few
seconds and then retry this goal . */
PathSet lockFiles ;
/* FIXME: Should lock something like the drv itself so we don't build same
CA drv concurrently */
2020-12-20 19:55:21 +00:00
if ( dynamic_cast < LocalStore * > ( & worker . store ) )
/* If we aren't a local store, we might need to use the local store as
a build remote , but that would cause a deadlock . */
/* FIXME: Make it so we can use ourselves as a build remote even if we
are the local store ( separate locking for building vs scheduling ? */
/* FIXME: find some way to lock for scheduling for the other stores so
a forking daemon with - - store still won ' t farm out redundant builds .
*/
for ( auto & i : drv - > outputsAndOptPaths ( worker . store ) )
if ( i . second . second )
lockFiles . insert ( worker . store . Store : : toRealPath ( * i . second . second ) ) ;
2017-10-23 18:43:04 +00:00
2020-10-11 16:19:10 +00:00
if ( ! outputLocks . lockPaths ( lockFiles , " " , false ) ) {
if ( ! actLock )
actLock = std : : make_unique < Activity > ( * logger , lvlWarn , actBuildWaiting ,
fmt ( " waiting for lock on %s " , yellowtxt ( showPaths ( lockFiles ) ) ) ) ;
worker . waitForAWhile ( shared_from_this ( ) ) ;
return ;
}
2017-10-24 11:41:52 +00:00
2020-10-11 16:19:10 +00:00
actLock . reset ( ) ;
2010-08-25 20:44:28 +00:00
2020-10-11 16:19:10 +00:00
/* Now check again whether the outputs are valid. This is because
another process may have started building in parallel . After
it has finished and released the locks , we can ( and should )
reuse its results . ( Strictly speaking the first check can be
omitted , but that would be less efficient . ) Note that since we
now hold the locks on the output paths , no other process can
build this derivation , so no further checks are necessary . */
checkPathValidity ( ) ;
bool allValid = true ;
for ( auto & [ _ , status ] : initialOutputs ) {
if ( ! status . wanted ) continue ;
if ( ! status . known | | ! status . known - > isValid ( ) ) {
allValid = false ;
break ;
}
}
if ( buildMode ! = bmCheck & & allValid ) {
debug ( " skipping build of derivation '%s', someone beat us to it " , worker . store . printStorePath ( drvPath ) ) ;
outputLocks . setDeletion ( true ) ;
done ( BuildResult : : AlreadyValid ) ;
return ;
}
2010-08-25 20:44:28 +00:00
2020-10-11 16:19:10 +00:00
/* If any of the outputs already exist but are not valid, delete
them . */
for ( auto & [ _ , status ] : initialOutputs ) {
if ( ! status . known | | status . known - > isValid ( ) ) continue ;
auto storePath = status . known - > path ;
debug ( " removing invalid path '%s' " , worker . store . printStorePath ( status . known - > path ) ) ;
deletePath ( worker . store . Store : : toRealPath ( storePath ) ) ;
}
2010-08-25 20:44:28 +00:00
2020-10-11 16:19:10 +00:00
/* Don't do a remote build if the derivation has the attribute
` preferLocalBuild ' set . Also , check and repair modes are only
supported for local builds . */
bool buildLocally = buildMode ! = bmNormal | | parsedDrv - > willBuildLocally ( worker . store ) ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
if ( ! buildLocally ) {
switch ( tryBuildHook ( ) ) {
case rpAccept :
/* Yes, it has started doing so. Wait until we get
EOF from the hook . */
actLock . reset ( ) ;
result . startTime = time ( 0 ) ; // inexact
state = & DerivationGoal : : buildDone ;
started ( ) ;
return ;
case rpPostpone :
/* Not now; wait until at least one child finishes or
the wake - up timeout expires . */
if ( ! actLock )
actLock = std : : make_unique < Activity > ( * logger , lvlWarn , actBuildWaiting ,
fmt ( " waiting for a machine to build '%s' " , yellowtxt ( worker . store . printStorePath ( drvPath ) ) ) ) ;
worker . waitForAWhile ( shared_from_this ( ) ) ;
outputLocks . unlock ( ) ;
return ;
case rpDecline :
/* We should do it ourselves. */
break ;
}
}
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
actLock . reset ( ) ;
2010-08-25 20:44:28 +00:00
2020-10-11 16:19:10 +00:00
state = & DerivationGoal : : tryLocalBuild ;
worker . wakeUp ( shared_from_this ( ) ) ;
}
2010-08-30 14:53:03 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : tryLocalBuild ( ) {
2021-02-26 15:20:33 +00:00
throw Error (
" unable to build with a primary store that isn't a local store; "
" either pass a different '--store' or enable remote builds. "
" \n https://nixos.org/nix/manual/#chap-distributed-builds " ) ;
2010-08-25 20:44:28 +00:00
}
2020-10-11 16:19:10 +00:00
static void chmod_ ( const Path & path , mode_t mode )
2010-08-25 20:44:28 +00:00
{
2020-10-11 16:19:10 +00:00
if ( chmod ( path . c_str ( ) , mode ) = = - 1 )
throw SysError ( " setting permissions on '%s' " , path ) ;
2010-08-25 20:44:28 +00:00
}
2020-10-11 16:19:10 +00:00
/* Move/rename path 'src' to 'dst'. Temporarily make 'src' writable if
it ' s a directory and we ' re not root ( to be able to update the
directory ' s parent link " .. " ) . */
static void movePath ( const Path & src , const Path & dst )
2004-05-11 18:05:44 +00:00
{
2020-10-11 16:19:10 +00:00
auto st = lstat ( src ) ;
2012-11-26 16:15:09 +00:00
2020-10-11 16:19:10 +00:00
bool changePerm = ( geteuid ( ) & & S_ISDIR ( st . st_mode ) & & ! ( st . st_mode & S_IWUSR ) ) ;
2012-11-26 16:15:09 +00:00
2020-10-11 16:19:10 +00:00
if ( changePerm )
chmod_ ( src , st . st_mode | S_IWUSR ) ;
2013-01-02 11:38:28 +00:00
2020-10-11 16:19:10 +00:00
if ( rename ( src . c_str ( ) , dst . c_str ( ) ) )
throw SysError ( " renaming '%1%' to '%2%' " , src , dst ) ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
if ( changePerm )
chmod_ ( dst , st . st_mode ) ;
}
2018-09-28 10:43:01 +00:00
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
void replaceValidPath ( const Path & storePath , const Path & tmpPath )
{
/* We can't atomically replace storePath (the original) with
tmpPath ( the replacement ) , so we have to move it out of the
way first . We ' d better not be interrupted here , because if
we ' re repairing ( say ) Glibc , we end up with a broken system . */
Path oldPath = ( format ( " %1%.old-%2%-%3% " ) % storePath % getpid ( ) % random ( ) ) . str ( ) ;
if ( pathExists ( storePath ) )
movePath ( storePath , oldPath ) ;
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
try {
movePath ( tmpPath , storePath ) ;
} catch ( . . . ) {
try {
// attempt to recover
movePath ( oldPath , storePath ) ;
} catch ( . . . ) {
ignoreException ( ) ;
}
throw ;
}
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
deletePath ( oldPath ) ;
}
2013-06-13 14:43:20 +00:00
2005-10-17 15:33:24 +00:00
2021-02-26 15:20:33 +00:00
int DerivationGoal : : getChildStatus ( )
{
return hook - > pid . kill ( ) ;
}
void DerivationGoal : : closeReadPipes ( )
{
hook - > builderOut . readSide = - 1 ;
hook - > fromHook . readSide = - 1 ;
}
void DerivationGoal : : cleanupHookFinally ( )
{
}
void DerivationGoal : : cleanupPreChildKill ( )
{
}
void DerivationGoal : : cleanupPostChildKill ( )
{
}
bool DerivationGoal : : cleanupDecideWhetherDiskFull ( )
{
return false ;
}
void DerivationGoal : : cleanupPostOutputsRegisteredModeCheck ( )
{
}
void DerivationGoal : : cleanupPostOutputsRegisteredModeNonCheck ( )
{
}
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : buildDone ( )
{
trace ( " build done " ) ;
2015-12-02 13:59:07 +00:00
2021-02-26 15:20:33 +00:00
Finally releaseBuildUser ( [ & ] ( ) { this - > cleanupHookFinally ( ) ; } ) ;
2004-05-11 18:05:44 +00:00
2021-02-26 15:20:33 +00:00
cleanupPreChildKill ( ) ;
2013-09-02 09:58:18 +00:00
2020-10-11 16:19:10 +00:00
/* Since we got an EOF on the logger pipe, the builder is presumed
to have terminated . In fact , the builder could also have
simply have closed its end of the pipe , so just to be sure ,
kill it . */
2021-02-26 15:20:33 +00:00
int status = getChildStatus ( ) ;
2016-04-25 14:47:46 +00:00
2020-10-11 16:19:10 +00:00
debug ( " builder process for '%s' finished " , worker . store . printStorePath ( drvPath ) ) ;
2016-04-25 14:47:46 +00:00
2020-10-11 16:19:10 +00:00
result . timesBuilt + + ;
result . stopTime = time ( 0 ) ;
2017-10-24 11:41:52 +00:00
2020-10-11 16:19:10 +00:00
/* So the child is gone now. */
worker . childTerminated ( this ) ;
2004-05-13 19:14:49 +00:00
2020-10-11 16:19:10 +00:00
/* Close the read side of the logger pipe. */
2021-02-26 15:20:33 +00:00
closeReadPipes ( ) ;
2016-06-09 16:27:39 +00:00
2020-10-11 16:19:10 +00:00
/* Close the log file. */
closeLogFile ( ) ;
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2021-02-26 15:20:33 +00:00
cleanupPostChildKill ( ) ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
bool diskFull = false ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
try {
2007-10-27 00:46:59 +00:00
2020-10-11 16:19:10 +00:00
/* Check the exit status. */
if ( ! statusOk ( status ) ) {
2009-03-25 21:05:42 +00:00
2021-02-26 15:20:33 +00:00
diskFull | = cleanupDecideWhetherDiskFull ( ) ;
2020-08-07 19:09:26 +00:00
2020-10-11 16:19:10 +00:00
auto msg = fmt ( " builder for '%s' %s " ,
yellowtxt ( worker . store . printStorePath ( drvPath ) ) ,
statusToString ( status ) ) ;
2020-08-07 19:09:26 +00:00
2020-10-11 16:19:10 +00:00
if ( ! logger - > isVerbose ( ) & & ! logTail . empty ( ) ) {
2021-01-20 23:27:36 +00:00
msg + = fmt ( " ; \n last %d log lines: \n " , logTail . size ( ) ) ;
for ( auto & line : logTail ) {
msg + = " > " ;
msg + = line ;
msg + = " \n " ;
}
2021-01-25 16:15:38 +00:00
msg + = fmt ( " For full logs, run ' " ANSI_BOLD " nix log %s " ANSI_NORMAL " '. " ,
worker . store . printStorePath ( drvPath ) ) ;
2020-10-11 16:19:10 +00:00
}
2020-08-07 19:09:26 +00:00
2020-10-11 16:19:10 +00:00
if ( diskFull )
msg + = " \n note: build failure may have been caused by lack of free disk space " ;
2014-02-17 22:04:52 +00:00
2020-10-11 16:19:10 +00:00
throw BuildError ( msg ) ;
}
2012-10-02 21:13:46 +00:00
2020-10-11 16:19:10 +00:00
/* Compute the FS closure of the outputs and register them as
being valid . */
registerOutputs ( ) ;
2015-07-20 01:15:45 +00:00
2020-10-11 16:19:10 +00:00
if ( settings . postBuildHook ! = " " ) {
Activity act ( * logger , lvlInfo , actPostBuildHook ,
fmt ( " running post-build-hook '%s' " , settings . postBuildHook ) ,
Logger : : Fields { worker . store . printStorePath ( drvPath ) } ) ;
PushActivity pact ( act . id ) ;
StorePathSet outputPaths ;
2020-12-09 08:44:07 +00:00
for ( auto i : drv - > outputs ) {
outputPaths . insert ( finalOutputs . at ( i . first ) ) ;
2020-10-11 16:19:10 +00:00
}
std : : map < std : : string , std : : string > hookEnvironment = getEnv ( ) ;
2015-11-09 22:16:24 +00:00
2020-10-11 16:19:10 +00:00
hookEnvironment . emplace ( " DRV_PATH " , worker . store . printStorePath ( drvPath ) ) ;
hookEnvironment . emplace ( " OUT_PATHS " , chomp ( concatStringsSep ( " " , worker . store . printStorePathSet ( outputPaths ) ) ) ) ;
2015-11-09 22:16:24 +00:00
2020-10-11 16:19:10 +00:00
RunOptions opts ( settings . postBuildHook , { } ) ;
opts . environment = hookEnvironment ;
2015-11-09 22:16:24 +00:00
2020-10-11 16:19:10 +00:00
struct LogSink : Sink {
Activity & act ;
std : : string currentLine ;
2016-12-19 10:52:57 +00:00
2020-10-11 16:19:10 +00:00
LogSink ( Activity & act ) : act ( act ) { }
2017-01-25 11:00:28 +00:00
2020-12-02 13:00:43 +00:00
void operator ( ) ( std : : string_view data ) override {
for ( auto c : data ) {
2020-10-11 16:19:10 +00:00
if ( c = = ' \n ' ) {
flushLine ( ) ;
} else {
currentLine + = c ;
}
}
}
2017-08-15 13:31:59 +00:00
2020-10-11 16:19:10 +00:00
void flushLine ( ) {
act . result ( resPostBuildLogLine , currentLine ) ;
currentLine . clear ( ) ;
}
2020-06-15 14:03:29 +00:00
2020-10-11 16:19:10 +00:00
~ LogSink ( ) {
if ( currentLine ! = " " ) {
currentLine + = ' \n ' ;
flushLine ( ) ;
}
}
} ;
LogSink sink ( act ) ;
2017-08-21 10:01:21 +00:00
2020-10-11 16:19:10 +00:00
opts . standardOut = & sink ;
opts . mergeStderrToStdout = true ;
runProgram2 ( opts ) ;
}
2017-10-24 12:24:57 +00:00
2020-10-11 16:19:10 +00:00
if ( buildMode = = bmCheck ) {
2021-02-26 15:20:33 +00:00
cleanupPostOutputsRegisteredModeCheck ( ) ;
2020-10-11 16:19:10 +00:00
done ( BuildResult : : Built ) ;
return ;
}
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2021-02-26 15:20:33 +00:00
cleanupPostOutputsRegisteredModeNonCheck ( ) ;
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2020-10-11 16:19:10 +00:00
/* Repeat the build if necessary. */
if ( curRound + + < nrRounds ) {
outputLocks . unlock ( ) ;
state = & DerivationGoal : : tryToBuild ;
worker . wakeUp ( shared_from_this ( ) ) ;
return ;
}
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2020-10-11 16:19:10 +00:00
/* It is now safe to delete the lock files, since all future
lockers will see that the output paths are valid ; they will
not create new lock files with the same names as the old
( unlinked ) lock files . */
outputLocks . setDeletion ( true ) ;
outputLocks . unlock ( ) ;
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2020-10-11 16:19:10 +00:00
} catch ( BuildError & e ) {
outputLocks . unlock ( ) ;
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
BuildResult : : Status st = BuildResult : : MiscFailure ;
2019-05-12 20:47:41 +00:00
2020-10-11 16:19:10 +00:00
if ( hook & & WIFEXITED ( status ) & & WEXITSTATUS ( status ) = = 101 )
st = BuildResult : : TimedOut ;
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
else if ( hook & & ( ! WIFEXITED ( status ) | | WEXITSTATUS ( status ) ! = 100 ) ) {
}
2014-11-24 15:48:04 +00:00
2020-10-11 16:19:10 +00:00
else {
st =
dynamic_cast < NotDeterministic * > ( & e ) ? BuildResult : : NotDeterministic :
statusOk ( status ) ? BuildResult : : OutputRejected :
derivationIsImpure ( derivationType ) | | diskFull ? BuildResult : : TransientFailure :
BuildResult : : PermanentFailure ;
}
2004-06-19 21:45:04 +00:00
2020-10-11 16:19:10 +00:00
done ( st , e ) ;
return ;
2005-02-23 11:19:27 +00:00
}
2008-01-15 04:32:08 +00:00
2020-10-11 16:19:10 +00:00
done ( BuildResult : : Built ) ;
}
2019-10-12 23:02:57 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : resolvedFinished ( ) {
2021-01-27 09:03:05 +00:00
assert ( resolvedDrv ) ;
auto resolvedHashes = staticOutputHashes ( worker . store , * resolvedDrv ) ;
// `wantedOutputs` might be empty, which means “all the outputs”
auto realWantedOutputs = wantedOutputs ;
if ( realWantedOutputs . empty ( ) )
realWantedOutputs = resolvedDrv - > outputNames ( ) ;
for ( auto & wantedOutput : realWantedOutputs ) {
2021-02-04 13:41:49 +00:00
assert ( initialOutputs . count ( wantedOutput ) ! = 0 ) ;
2021-01-27 09:03:05 +00:00
assert ( resolvedHashes . count ( wantedOutput ) ! = 0 ) ;
auto realisation = worker . store . queryRealisation (
DrvOutput { resolvedHashes . at ( wantedOutput ) , wantedOutput }
) ;
// We've just built it, but maybe the build failed, in which case the
// realisation won't be there
if ( realisation ) {
auto newRealisation = * realisation ;
2021-02-04 13:41:49 +00:00
newRealisation . id = DrvOutput { initialOutputs . at ( wantedOutput ) . outputHash , wantedOutput } ;
2021-03-08 16:32:20 +00:00
newRealisation . signatures . clear ( ) ;
2021-05-19 08:35:31 +00:00
newRealisation . drvOutputDeps = drvOutputReferences ( worker . store , * drv , realisation - > outPath ) ;
2021-03-08 16:32:20 +00:00
signRealisation ( newRealisation ) ;
2021-01-27 09:03:05 +00:00
worker . store . registerDrvOutput ( newRealisation ) ;
} else {
// If we don't have a realisation, then it must mean that something
// failed when building the resolved drv
assert ( ! result . success ( ) ) ;
}
}
// This is potentially a bit fishy in terms of error reporting. Not sure
// how to do it in a cleaner way
amDone ( nrFailed = = 0 ? ecSuccess : ecFailed , ex ) ;
2020-10-11 16:19:10 +00:00
}
Add support for passing structured data to builders
Previously, all derivation attributes had to be coerced into strings
so that they could be passed via the environment. This is lossy
(e.g. lists get flattened, necessitating configureFlags
vs. configureFlagsArray, of which the latter cannot be specified as an
attribute), doesn't support attribute sets at all, and has size
limitations (necessitating hacks like passAsFile).
This patch adds a new mode for passing attributes to builders, namely
encoded as a JSON file ".attrs.json" in the current directory of the
builder. This mode is activated via the special attribute
__structuredAttrs = true;
(The idea is that one day we can set this in stdenv.mkDerivation.)
For example,
stdenv.mkDerivation {
__structuredAttrs = true;
name = "foo";
buildInputs = [ pkgs.hello pkgs.cowsay ];
doCheck = true;
hardening.format = false;
}
results in a ".attrs.json" file containing (sans the indentation):
{
"buildInputs": [],
"builder": "/nix/store/ygl61ycpr2vjqrx775l1r2mw1g2rb754-bash-4.3-p48/bin/bash",
"configureFlags": [
"--with-foo",
"--with-bar=1 2"
],
"doCheck": true,
"hardening": {
"format": false
},
"name": "foo",
"nativeBuildInputs": [
"/nix/store/10h6li26i7g6z3mdpvra09yyf10mmzdr-hello-2.10",
"/nix/store/4jnvjin0r6wp6cv1hdm5jbkx3vinlcvk-cowsay-3.03"
],
"propagatedBuildInputs": [],
"propagatedNativeBuildInputs": [],
"stdenv": "/nix/store/f3hw3p8armnzy6xhd4h8s7anfjrs15n2-stdenv",
"system": "x86_64-linux"
}
"passAsFile" is ignored in this mode because it's not needed - large
strings are included directly in the JSON representation.
It is up to the builder to do something with the JSON
representation. For example, in bash-based builders, lists/attrsets of
string values could be mapped to bash (associative) arrays.
2017-01-25 15:42:07 +00:00
2020-10-11 16:19:10 +00:00
HookReply DerivationGoal : : tryBuildHook ( )
{
if ( ! worker . tryBuildHook | | ! useDerivation ) return rpDecline ;
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2020-10-11 16:19:10 +00:00
if ( ! worker . hook )
worker . hook = std : : make_unique < HookInstance > ( ) ;
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2020-10-11 16:19:10 +00:00
try {
Recursive Nix support
This allows Nix builders to call Nix to build derivations, with some
limitations.
Example:
let nixpkgs = fetchTarball channel:nixos-18.03; in
with import <nixpkgs> {};
runCommand "foo"
{
buildInputs = [ nix jq ];
NIX_PATH = "nixpkgs=${nixpkgs}";
}
''
hello=$(nix-build -E '(import <nixpkgs> {}).hello.overrideDerivation (args: { name = "hello-3.5"; })')
$hello/bin/hello
mkdir -p $out/bin
ln -s $hello/bin/hello $out/bin/hello
nix path-info -r --json $hello | jq .
''
This derivation makes a recursive Nix call to build GNU Hello and
symlinks it from its $out, i.e.
# ll ./result/bin/
lrwxrwxrwx 1 root root 63 Jan 1 1970 hello -> /nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5/bin/hello
# nix-store -qR ./result
/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131
/nix/store/s0awxrs71gickhaqdwxl506hzccb30y5-hello-3.5
/nix/store/sgmvvyw8vhfqdqb619bxkcpfn9lvd8ss-foo
This is implemented as follows:
* Before running the outer builder, Nix creates a Unix domain socket
'.nix-socket' in the builder's temporary directory and sets
$NIX_REMOTE to point to it. It starts a thread to process
connections to this socket. (Thus you don't need to have nix-daemon
running.)
* The daemon thread uses a wrapper store (RestrictedStore) to keep
track of paths added through recursive Nix calls, to implement some
restrictions (see below), and to do some censorship (e.g. for
purity, queryPathInfo() won't return impure information such as
signatures and timestamps).
* After the build finishes, the output paths are scanned for
references to the paths added through recursive Nix calls (in
addition to the inputs closure). Thus, in the example above, $out
has a reference to $hello.
The main restriction on recursive Nix calls is that they cannot do
arbitrary substitutions. For example, doing
nix-store -r /nix/store/kmwd1hq55akdb9sc7l3finr175dajlby-hello-2.10
is forbidden unless /nix/store/kmwd... is in the inputs closure or
previously built by a recursive Nix call. This is to prevent
irreproducible derivations that have hidden dependencies on
substituters or the current store contents. Building a derivation is
fine, however, and Nix will use substitutes if available. In other
words, the builder has to present proof that it knows how to build a
desired store path from scratch by constructing a derivation graph for
that path.
Probably we should also disallow instantiating/building fixed-output
derivations (specifically, those that access the network, but
currently we have no way to mark fixed-output derivations that don't
access the network). Otherwise sandboxed derivations can bypass
sandbox restrictions and access the network.
When sandboxing is enabled, we make paths appear in the sandbox of the
builder by entering the mount namespace of the builder and
bind-mounting each path. This is tricky because we do a pivot_root()
in the builder to change the root directory of its mount namespace,
and thus the host /nix/store is not visible in the mount namespace of
the builder. To get around this, just before doing pivot_root(), we
branch a second mount namespace that shares its /nix/store mountpoint
with the parent.
Recursive Nix currently doesn't work on macOS in sandboxed mode
(because we can't change the sandbox policy of a running build) and in
non-root mode (because setns() barfs).
2018-10-02 14:01:26 +00:00
2020-10-11 16:19:10 +00:00
/* Send the request to the hook. */
worker . hook - > sink
< < " try "
< < ( worker . getNrLocalBuilds ( ) < settings . maxBuildJobs ? 1 : 0 )
< < drv - > platform
< < worker . store . printStorePath ( drvPath )
< < parsedDrv - > getRequiredSystemFeatures ( ) ;
worker . hook - > sink . flush ( ) ;
2017-01-25 11:00:28 +00:00
2020-10-11 16:19:10 +00:00
/* Read the first line of input, which should be a word indicating
whether the hook wishes to perform the build . */
string reply ;
while ( true ) {
2021-02-05 11:11:50 +00:00
auto s = [ & ] ( ) {
try {
return readLine ( worker . hook - > fromHook . readSide . get ( ) ) ;
} catch ( Error & e ) {
e . addTrace ( { } , " while reading the response from the build hook " ) ;
throw e ;
}
} ( ) ;
2020-10-11 16:19:10 +00:00
if ( handleJSONLogMessage ( s , worker . act , worker . hook - > activities , true ) )
;
else if ( string ( s , 0 , 2 ) = = " # " ) {
reply = string ( s , 2 ) ;
break ;
}
else {
s + = " \n " ;
writeToStderr ( s ) ;
}
}
2012-06-25 19:45:16 +00:00
2020-10-11 16:19:10 +00:00
debug ( " hook reply is '%1%' " , reply ) ;
2012-06-25 19:45:16 +00:00
2020-10-11 16:19:10 +00:00
if ( reply = = " decline " )
return rpDecline ;
else if ( reply = = " decline-permanently " ) {
worker . tryBuildHook = false ;
worker . hook = 0 ;
return rpDecline ;
}
else if ( reply = = " postpone " )
return rpPostpone ;
else if ( reply ! = " accept " )
throw Error ( " bad hook reply '%s' " , reply ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
} catch ( SysError & e ) {
if ( e . errNo = = EPIPE ) {
2021-01-20 23:27:36 +00:00
printError (
" build hook died unexpectedly: %s " ,
chomp ( drainFD ( worker . hook - > fromHook . readSide . get ( ) ) ) ) ;
2020-10-11 16:19:10 +00:00
worker . hook = 0 ;
return rpDecline ;
} else
throw ;
}
2018-10-22 19:49:56 +00:00
2020-10-11 16:19:10 +00:00
hook = std : : move ( worker . hook ) ;
2004-06-18 18:09:32 +00:00
2021-02-05 11:11:50 +00:00
try {
machineName = readLine ( hook - > fromHook . readSide . get ( ) ) ;
} catch ( Error & e ) {
e . addTrace ( { } , " while reading the machine name from the build hook " ) ;
throw e ;
}
2012-05-30 14:12:29 +00:00
2020-10-11 16:19:10 +00:00
/* Tell the hook all the inputs that have to be copied to the
remote system . */
worker_proto : : write ( worker . store , hook - > sink , inputPaths ) ;
2004-06-18 18:09:32 +00:00
2020-10-11 16:19:10 +00:00
/* Tell the hooks the missing outputs that have to be copied back
from the remote system . */
{
2021-01-26 09:48:41 +00:00
StringSet missingOutputs ;
for ( auto & [ outputName , status ] : initialOutputs ) {
2021-01-26 08:35:10 +00:00
// XXX: Does this include known CA outputs?
if ( buildMode ! = bmCheck & & status . known & & status . known - > isValid ( ) ) continue ;
2021-01-26 09:48:41 +00:00
missingOutputs . insert ( outputName ) ;
2020-10-11 16:19:10 +00:00
}
2021-01-26 09:48:41 +00:00
worker_proto : : write ( worker . store , hook - > sink , missingOutputs ) ;
2020-10-11 16:19:10 +00:00
}
2004-06-29 09:41:50 +00:00
2020-10-11 16:19:10 +00:00
hook - > sink = FdSink ( ) ;
hook - > toHook . writeSide = - 1 ;
2020-08-07 19:09:26 +00:00
2020-10-11 16:19:10 +00:00
/* Create the log file and pipe. */
Path logFile = openLogFile ( ) ;
2009-03-25 21:05:42 +00:00
2020-10-11 16:19:10 +00:00
set < int > fds ;
fds . insert ( hook - > fromHook . readSide . get ( ) ) ;
fds . insert ( hook - > builderOut . readSide . get ( ) ) ;
worker . childStarted ( shared_from_this ( ) , fds , false , false ) ;
2012-10-02 21:13:46 +00:00
2020-10-11 16:19:10 +00:00
return rpAccept ;
}
2012-10-03 14:38:09 +00:00
2015-07-20 01:15:45 +00:00
2020-10-11 16:19:10 +00:00
StorePathSet DerivationGoal : : exportReferences ( const StorePathSet & storePaths )
{
StorePathSet paths ;
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
for ( auto & storePath : storePaths ) {
if ( ! inputPaths . count ( storePath ) )
throw BuildError ( " cannot export references of path '%s' because it is not in the input closure of the derivation " , worker . store . printStorePath ( storePath ) ) ;
2004-05-11 18:05:44 +00:00
2020-10-11 16:19:10 +00:00
worker . store . computeFSClosure ( { storePath } , paths ) ;
}
2017-01-25 11:00:28 +00:00
2020-10-11 16:19:10 +00:00
/* If there are derivations in the graph, then include their
outputs as well . This is useful if you want to do things
like passing all build - time dependencies of some path to a
derivation that builds a NixOS DVD image . */
auto paths2 = paths ;
2017-01-25 11:00:28 +00:00
2020-10-11 16:19:10 +00:00
for ( auto & j : paths2 ) {
if ( j . isDerivation ( ) ) {
Derivation drv = worker . store . derivationFromPath ( j ) ;
for ( auto & k : drv . outputsAndOptPaths ( worker . store ) ) {
if ( ! k . second . second )
/* FIXME: I am confused why we are calling
` computeFSClosure ` on the output path , rather than
derivation itself . That doesn ' t seem right to me , so I
won ' t try to implemented this for CA derivations . */
throw UnimplementedError ( " exportReferences on CA derivations is not yet implemented " ) ;
worker . store . computeFSClosure ( * k . second . second , paths ) ;
}
}
}
2017-05-16 14:09:57 +00:00
2020-10-11 16:19:10 +00:00
return paths ;
2004-05-11 18:05:44 +00:00
}
2017-05-16 14:09:57 +00:00
2021-02-26 15:20:33 +00:00
void DerivationGoal : : registerOutputs ( )
{
/* When using a build hook, the build hook can register the output
as valid ( by doing ` nix - store - - import ' ) . If so we don ' t have
to do anything here .
Allow remote builds without sending the derivation closure
Previously, to build a derivation remotely, we had to copy the entire
closure of the .drv file to the remote machine, even though we only
need the top-level derivation. This is very wasteful: the closure can
contain thousands of store paths, and in some Hydra use cases, include
source paths that are very large (e.g. Git/Mercurial checkouts).
So now there is a new operation, StoreAPI::buildDerivation(), that
performs a build from an in-memory representation of a derivation
(BasicDerivation) rather than from a on-disk .drv file. The only files
that need to be in the Nix store are the sources of the derivation
(drv.inputSrcs), and the needed output paths of the dependencies (as
described by drv.inputDrvs). "nix-store --serve" exposes this
interface.
Note that this is a privileged operation, because you can construct a
derivation that builds any store path whatsoever. Fixing this will
require changing the hashing scheme (i.e., the output paths should be
computed from the other fields in BasicDerivation, allowing them to be
verified without access to other derivations). However, this would be
quite nice because it would allow .drv-free building (e.g. "nix-env
-i" wouldn't have to write any .drv files to disk).
Fixes #173.
2015-07-17 15:57:40 +00:00
2021-02-26 15:20:33 +00:00
We can only early return when the outputs are known a priori . For
floating content - addressed derivations this isn ' t the case .
*/
for ( auto & [ outputName , optOutputPath ] : worker . store . queryPartialDerivationOutputMap ( drvPath ) ) {
if ( ! wantOutput ( outputName , wantedOutputs ) )
continue ;
if ( ! optOutputPath )
throw BuildError (
" output '%s' from derivation '%s' does not have a known output path " ,
outputName , worker . store . printStorePath ( drvPath ) ) ;
auto & outputPath = * optOutputPath ;
if ( ! worker . store . isValidPath ( outputPath ) )
throw BuildError (
" output '%s' from derivation '%s' is supposed to be at '%s' but that path is not valid " ,
outputName , worker . store . printStorePath ( drvPath ) , worker . store . printStorePath ( outputPath ) ) ;
Allow remote builds without sending the derivation closure
Previously, to build a derivation remotely, we had to copy the entire
closure of the .drv file to the remote machine, even though we only
need the top-level derivation. This is very wasteful: the closure can
contain thousands of store paths, and in some Hydra use cases, include
source paths that are very large (e.g. Git/Mercurial checkouts).
So now there is a new operation, StoreAPI::buildDerivation(), that
performs a build from an in-memory representation of a derivation
(BasicDerivation) rather than from a on-disk .drv file. The only files
that need to be in the Nix store are the sources of the derivation
(drv.inputSrcs), and the needed output paths of the dependencies (as
described by drv.inputDrvs). "nix-store --serve" exposes this
interface.
Note that this is a privileged operation, because you can construct a
derivation that builds any store path whatsoever. Fixing this will
require changing the hashing scheme (i.e., the output paths should be
computed from the other fields in BasicDerivation, allowing them to be
verified without access to other derivations). However, this would be
quite nice because it would allow .drv-free building (e.g. "nix-env
-i" wouldn't have to write any .drv files to disk).
Fixes #173.
2015-07-17 15:57:40 +00:00
2021-02-26 15:20:33 +00:00
finalOutputs . insert_or_assign ( outputName , outputPath ) ;
2020-10-11 16:19:10 +00:00
}
2004-05-11 18:05:44 +00:00
}
2021-02-26 15:20:33 +00:00
Path DerivationGoal : : openLogFile ( )
2019-05-12 20:47:41 +00:00
{
2021-02-26 15:20:33 +00:00
logSize = 0 ;
2006-12-08 18:41:48 +00:00
2021-02-26 15:20:33 +00:00
if ( ! settings . keepLog ) return " " ;
2012-07-27 13:59:18 +00:00
2021-02-26 15:20:33 +00:00
auto baseName = std : : string ( baseNameOf ( worker . store . printStorePath ( drvPath ) ) ) ;
2010-08-25 20:44:28 +00:00
2021-02-26 15:20:33 +00:00
/* Create a log file. */
Path logDir ;
if ( auto localStore = dynamic_cast < LocalStore * > ( & worker . store ) )
logDir = localStore - > logDir ;
else
logDir = settings . nixLogDir ;
Path dir = fmt ( " %s/%s/%s/ " , logDir , LocalFSStore : : drvsLogDir , string ( baseName , 0 , 2 ) ) ;
createDirs ( dir ) ;
2004-05-11 18:05:44 +00:00
2021-02-26 15:20:33 +00:00
Path logFileName = fmt ( " %s/%s%s " , dir , string ( baseName , 2 ) ,
settings . compressLog ? " .bz2 " : " " ) ;
2014-11-24 15:44:35 +00:00
2021-02-26 15:20:33 +00:00
fdLogFile = open ( logFileName . c_str ( ) , O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC , 0666 ) ;
if ( ! fdLogFile ) throw SysError ( " creating log file '%1%' " , logFileName ) ;
2004-06-25 10:21:44 +00:00
2021-02-26 15:20:33 +00:00
logFileSink = std : : make_shared < FdSink > ( fdLogFile . get ( ) ) ;
2003-07-20 19:29:38 +00:00
2021-02-26 15:20:33 +00:00
if ( settings . compressLog )
logSink = std : : shared_ptr < CompressionSink > ( makeCompressionSink ( " bzip2 " , * logFileSink ) ) ;
else
logSink = logFileSink ;
2004-05-11 18:05:44 +00:00
2021-02-26 15:20:33 +00:00
return logFileName ;
}
Allow remote builds without sending the derivation closure
Previously, to build a derivation remotely, we had to copy the entire
closure of the .drv file to the remote machine, even though we only
need the top-level derivation. This is very wasteful: the closure can
contain thousands of store paths, and in some Hydra use cases, include
source paths that are very large (e.g. Git/Mercurial checkouts).
So now there is a new operation, StoreAPI::buildDerivation(), that
performs a build from an in-memory representation of a derivation
(BasicDerivation) rather than from a on-disk .drv file. The only files
that need to be in the Nix store are the sources of the derivation
(drv.inputSrcs), and the needed output paths of the dependencies (as
described by drv.inputDrvs). "nix-store --serve" exposes this
interface.
Note that this is a privileged operation, because you can construct a
derivation that builds any store path whatsoever. Fixing this will
require changing the hashing scheme (i.e., the output paths should be
computed from the other fields in BasicDerivation, allowing them to be
verified without access to other derivations). However, this would be
quite nice because it would allow .drv-free building (e.g. "nix-env
-i" wouldn't have to write any .drv files to disk).
Fixes #173.
2015-07-17 15:57:40 +00:00
2005-01-31 10:27:25 +00:00
2021-02-26 15:20:33 +00:00
void DerivationGoal : : closeLogFile ( )
{
auto logSink2 = std : : dynamic_pointer_cast < CompressionSink > ( logSink ) ;
if ( logSink2 ) logSink2 - > finish ( ) ;
if ( logFileSink ) logFileSink - > flush ( ) ;
logSink = logFileSink = 0 ;
fdLogFile = - 1 ;
}
2005-01-25 10:55:33 +00:00
2021-02-26 15:20:33 +00:00
bool DerivationGoal : : isReadDesc ( int fd )
{
return fd = = hook - > builderOut . readSide . get ( ) ;
}
2012-11-26 16:15:09 +00:00
2003-08-01 14:11:19 +00:00
2021-02-26 15:20:33 +00:00
void DerivationGoal : : handleChildOutput ( int fd , const string & data )
{
if ( isReadDesc ( fd ) )
{
logSize + = data . size ( ) ;
if ( settings . maxLogSize & & logSize > settings . maxLogSize ) {
killChild ( ) ;
done (
BuildResult : : LogLimitExceeded ,
Error ( " %s killed after writing more than %d bytes of log output " ,
getName ( ) , settings . maxLogSize ) ) ;
return ;
2020-10-11 16:19:10 +00:00
}
2012-10-03 14:38:09 +00:00
2021-02-26 15:20:33 +00:00
for ( auto c : data )
if ( c = = ' \r ' )
currentLogLinePos = 0 ;
else if ( c = = ' \n ' )
flushLine ( ) ;
else {
if ( currentLogLinePos > = currentLogLine . size ( ) )
currentLogLine . resize ( currentLogLinePos + 1 ) ;
currentLogLine [ currentLogLinePos + + ] = c ;
2020-10-11 16:19:10 +00:00
}
2020-10-14 10:20:58 +00:00
2021-02-26 15:20:33 +00:00
if ( logSink ) ( * logSink ) ( data ) ;
2009-03-22 23:53:05 +00:00
}
2012-07-27 13:59:18 +00:00
2021-02-26 15:20:33 +00:00
if ( hook & & fd = = hook - > fromHook . readSide . get ( ) ) {
for ( auto c : data )
if ( c = = ' \n ' ) {
handleJSONLogMessage ( currentHookLine , worker . act , hook - > activities , true ) ;
currentHookLine . clear ( ) ;
} else
currentHookLine + = c ;
2020-05-14 14:00:54 +00:00
}
2020-10-11 16:19:10 +00:00
}
2020-05-14 14:00:54 +00:00
2020-06-15 14:03:29 +00:00
2021-02-26 15:20:33 +00:00
void DerivationGoal : : handleEOF ( int fd )
{
if ( ! currentLogLine . empty ( ) ) flushLine ( ) ;
worker . wakeUp ( shared_from_this ( ) ) ;
2020-09-23 19:29:10 +00:00
}
2021-02-26 15:20:33 +00:00
void DerivationGoal : : flushLine ( )
2020-09-23 19:29:10 +00:00
{
2021-02-26 15:20:33 +00:00
if ( handleJSONLogMessage ( currentLogLine , * act , builderActivities , false ) )
;
2020-10-11 16:19:10 +00:00
2021-02-26 15:20:33 +00:00
else {
logTail . push_back ( currentLogLine ) ;
if ( logTail . size ( ) > settings . logLines ) logTail . pop_front ( ) ;
2012-10-02 21:13:46 +00:00
2021-02-26 15:20:33 +00:00
act - > result ( resBuildLogLine , currentLogLine ) ;
}
2012-10-02 21:13:46 +00:00
2021-02-26 15:20:33 +00:00
currentLogLine = " " ;
currentLogLinePos = 0 ;
}
2015-11-09 22:16:24 +00:00
2021-02-26 15:20:33 +00:00
std : : map < std : : string , std : : optional < StorePath > > DerivationGoal : : queryPartialDerivationOutputMap ( )
2017-08-31 14:02:36 +00:00
{
2020-10-11 16:19:10 +00:00
if ( ! useDerivation | | drv - > type ( ) ! = DerivationType : : CAFloating ) {
std : : map < std : : string , std : : optional < StorePath > > res ;
for ( auto & [ name , output ] : drv - > outputs )
res . insert_or_assign ( name , output . path ( worker . store , drv - > name , name ) ) ;
return res ;
} else {
return worker . store . queryPartialDerivationOutputMap ( drvPath ) ;
}
2017-08-31 14:02:36 +00:00
}
2020-10-11 16:19:10 +00:00
OutputPathMap DerivationGoal : : queryDerivationOutputMap ( )
2003-07-29 10:43:12 +00:00
{
2020-10-11 16:19:10 +00:00
if ( ! useDerivation | | drv - > type ( ) ! = DerivationType : : CAFloating ) {
OutputPathMap res ;
for ( auto & [ name , output ] : drv - > outputsAndOptPaths ( worker . store ) )
res . insert_or_assign ( name , * output . second ) ;
return res ;
} else {
return worker . store . queryDerivationOutputMap ( drvPath ) ;
2012-11-26 14:39:10 +00:00
}
2020-10-11 16:19:10 +00:00
}
2005-02-23 11:19:27 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : checkPathValidity ( )
{
bool checkHash = buildMode = = bmRepair ;
2021-02-12 21:50:50 +00:00
auto wantedOutputsLeft = wantedOutputs ;
2020-10-11 16:19:10 +00:00
for ( auto & i : queryPartialDerivationOutputMap ( ) ) {
2021-02-04 13:41:49 +00:00
InitialOutput & info = initialOutputs . at ( i . first ) ;
info . wanted = wantOutput ( i . first , wantedOutputs ) ;
2021-02-12 21:50:50 +00:00
if ( info . wanted )
wantedOutputsLeft . erase ( i . first ) ;
2020-10-11 16:19:10 +00:00
if ( i . second ) {
auto outputPath = * i . second ;
info . known = {
. path = outputPath ,
. status = ! worker . store . isValidPath ( outputPath )
? PathStatus : : Absent
: ! checkHash | | worker . pathContentsGood ( outputPath )
? PathStatus : : Valid
: PathStatus : : Corrupt ,
} ;
2005-02-23 11:19:27 +00:00
}
2021-01-27 09:03:05 +00:00
if ( settings . isExperimentalFeatureEnabled ( " ca-derivations " ) ) {
2021-04-22 15:55:36 +00:00
auto drvOutput = DrvOutput { initialOutputs . at ( i . first ) . outputHash , i . first } ;
if ( auto real = worker . store . queryRealisation ( drvOutput ) ) {
2021-01-27 09:03:05 +00:00
info . known = {
. path = real - > outPath ,
. status = PathStatus : : Valid ,
} ;
2021-04-22 15:55:36 +00:00
} else if ( info . known & & info . known - > status = = PathStatus : : Valid ) {
// We know the output because it' a static output of the
// derivation, and the output path is valid, but we don't have
// its realisation stored (probably because it has been built
// without the `ca-derivations` experimental flag)
worker . store . registerDrvOutput (
Realisation {
drvOutput ,
info . known - > path ,
}
) ;
2021-01-27 09:03:05 +00:00
}
}
2020-06-15 17:25:35 +00:00
}
2021-02-12 21:50:50 +00:00
// If we requested all the outputs via the empty set, we are always fine.
// If we requested specific elements, the loop above removes all the valid
// ones, so any that are left must be invalid.
if ( ! wantedOutputsLeft . empty ( ) )
2021-03-01 15:07:09 +00:00
throw Error ( " derivation '%s' does not have wanted outputs %s " ,
worker . store . printStorePath ( drvPath ) ,
concatStringsSep ( " , " , quoteStrings ( wantedOutputsLeft ) ) ) ;
2003-07-29 10:43:12 +00:00
}
Allow remote builds without sending the derivation closure
Previously, to build a derivation remotely, we had to copy the entire
closure of the .drv file to the remote machine, even though we only
need the top-level derivation. This is very wasteful: the closure can
contain thousands of store paths, and in some Hydra use cases, include
source paths that are very large (e.g. Git/Mercurial checkouts).
So now there is a new operation, StoreAPI::buildDerivation(), that
performs a build from an in-memory representation of a derivation
(BasicDerivation) rather than from a on-disk .drv file. The only files
that need to be in the Nix store are the sources of the derivation
(drv.inputSrcs), and the needed output paths of the dependencies (as
described by drv.inputDrvs). "nix-store --serve" exposes this
interface.
Note that this is a privileged operation, because you can construct a
derivation that builds any store path whatsoever. Fixing this will
require changing the hashing scheme (i.e., the output paths should be
computed from the other fields in BasicDerivation, allowing them to be
verified without access to other derivations). However, this would be
quite nice because it would allow .drv-free building (e.g. "nix-env
-i" wouldn't have to write any .drv files to disk).
Fixes #173.
2015-07-17 15:57:40 +00:00
2020-10-11 16:19:10 +00:00
void DerivationGoal : : done ( BuildResult : : Status status , std : : optional < Error > ex )
{
result . status = status ;
if ( ex )
result . errorMsg = ex - > what ( ) ;
amDone ( result . success ( ) ? ecSuccess : ecFailed , ex ) ;
if ( result . status = = BuildResult : : TimedOut )
worker . timedOut = true ;
if ( result . status = = BuildResult : : PermanentFailure )
worker . permanentFailure = true ;
2005-02-23 11:19:27 +00:00
2020-10-11 16:19:10 +00:00
mcExpectedBuilds . reset ( ) ;
mcRunningBuilds . reset ( ) ;
2005-02-23 11:19:27 +00:00
2020-10-11 16:19:10 +00:00
if ( result . success ( ) ) {
if ( status = = BuildResult : : Built )
worker . doneBuilds + + ;
} else {
if ( status ! = BuildResult : : DependencyFailed )
worker . failedBuilds + + ;
2020-06-15 17:25:35 +00:00
}
2012-07-27 13:59:18 +00:00
2020-10-11 16:19:10 +00:00
worker . updateProgress ( ) ;
2012-10-02 18:08:59 +00:00
}
2006-09-04 21:06:23 +00:00
}