Merge pull request #9661 from shlevy/ifd-buildStore

Build IFD in the build store when using eval-store.
2023-12-24 01:26:14 -05:00 · 2023-12-24 01:26:14 -05:00 · e23983db82
parent ee439734e9 c3942ef85f
commit e23983db82
5 changed files with 40 additions and 18 deletions
--- a/doc/manual/rl-next/ifd-eval-store.md
+++ b/doc/manual/rl-next/ifd-eval-store.md
@ -0,0 +1,8 @@
+---
+synopsis: import-from-derivation builds the derivation in the build store
+prs: 9661
+---
+
+When using `--eval-store`, `import`ing from a derivation will now result in the derivation being built on the build store, i.e. the store specified in the `store` Nix option.
+
+Because the resulting Nix expression must be copied back to the eval store in order to be imported, this requires the eval store to trust the build store's signatures.
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@ -84,14 +84,14 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
    /* Build/substitute the context. */
    std::vector<DerivedPath> buildReqs;
    for (auto & d : drvs) buildReqs.emplace_back(DerivedPath { d });
-    store->buildPaths(buildReqs);
+    buildStore->buildPaths(buildReqs, bmNormal, store);
+
+    StorePathSet outputsToCopyAndAllow;

    for (auto & drv : drvs) {
-        auto outputs = resolveDerivedPath(*store, drv);
+        auto outputs = resolveDerivedPath(*buildStore, drv, &*store);
        for (auto & [outputName, outputPath] : outputs) {
-            /* Add the output of this derivations to the allowed
-               paths. */
-            allowPath(store->toRealPath(outputPath));
+            outputsToCopyAndAllow.insert(outputPath);

            /* Get all the output paths corresponding to the placeholders we had */
            if (experimentalFeatureSettings.isEnabled(Xp::CaDerivations)) {
@ -101,12 +101,19 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
                            .drvPath = drv.drvPath,
                            .output = outputName,
                        }).render(),
-                    store->printStorePath(outputPath)
+                    buildStore->printStorePath(outputPath)
                );
            }
        }
    }

+    if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);
+    for (auto & outputPath : outputsToCopyAndAllow) {
+        /* Add the output of this derivations to the allowed
+           paths. */
+        allowPath(store->toRealPath(outputPath));
+    }
+
    return res;
 }

--- a/tests/functional/eval-store.sh
+++ b/tests/functional/eval-store.sh
@ -40,3 +40,11 @@ if [[ ! -n "${NIX_TESTS_CA_BY_DEFAULT:-}" ]]; then
    (! ls $NIX_STORE_DIR/*.drv)
 fi
 ls $eval_store/nix/store/*.drv
+
+clearStore
+rm -rf "$eval_store"
+
+# Confirm that import-from-derivation builds on the build store
+[[ $(nix eval --eval-store "$eval_store?require-sigs=false" --impure --raw --file ./ifd.nix) = hi ]]
+ls $NIX_STORE_DIR/*dependencies-top/foobar
+(! ls $eval_store/nix/store/*dependencies-top/foobar)
--- a/tests/functional/ifd.nix
+++ b/tests/functional/ifd.nix
@ -0,0 +1,10 @@
+with import ./config.nix;
+import (
+  mkDerivation {
+    name = "foo";
+    bla = import ./dependencies.nix {};
+    buildCommand = "
+      echo \\\"hi\\\" > $out
+    ";
+  }
+)
--- a/tests/functional/remote-store.sh
+++ b/tests/functional/remote-store.sh
@ -19,18 +19,7 @@ else
 fi

 # Test import-from-derivation through the daemon.
-[[ $(nix eval --impure --raw --expr '
-  with import ./config.nix;
-  import (
-    mkDerivation {
-      name = "foo";
-      bla = import ./dependencies.nix {};
-      buildCommand = "
-        echo \\\"hi\\\" > $out
-      ";
-    }
-  )
-') = hi ]]
+[[ $(nix eval --impure --raw --file ./ifd.nix) = hi ]]

 storeCleared=1 NIX_REMOTE_=$NIX_REMOTE $SHELL ./user-envs.sh