Commit graph

273 commits

Author SHA1 Message Date
Eelco Dolstra d4dcffd643
Add pure evaluation mode
In this mode, the following restrictions apply:

* The builtins currentTime, currentSystem and storePath throw an
  error.

* $NIX_PATH and -I are ignored.

* fetchGit and fetchMercurial require a revision hash.

* fetchurl and fetchTarball require a sha256 attribute.

* No file system access is allowed outside of the paths returned by
  fetch{Git,Mercurial,url,Tarball}. Thus 'nix build -f ./foo.nix' is
  not allowed.

Thus, the evaluation result is completely reproducible from the
command line arguments. E.g.

  nix build --pure-eval '(
    let
      nix = fetchGit { url = https://github.com/NixOS/nixpkgs.git; rev = "9c927de4b179a6dd210dd88d34bda8af4b575680"; };
      nixpkgs = fetchGit { url = https://github.com/NixOS/nixpkgs.git; ref = "release-17.09"; rev = "66b4de79e3841530e6d9c6baf98702aa1f7124e4"; };
    in (import (nix + "/release.nix") { inherit nix nixpkgs; }).build.x86_64-linux
  )'

The goal is to enable completely reproducible and traceable
evaluation. For example, a NixOS configuration could be fully
described by a single Git commit hash. 'nixos-rebuild' would do
something like

  nix build --pure-eval '(
    (import (fetchGit { url = file:///my-nixos-config; rev = "..."; })).system
  ')

where the Git repository /my-nixos-config would use further fetchGit
calls or Git externals to fetch Nixpkgs and whatever other
dependencies it has. Either way, the commit hash would uniquely
identify the NixOS configuration and allow it to reproduced.
2018-01-16 19:23:18 +01:00
Will Dietz 435ccc7980 release: access fetchGit from builtins to fix eval w/1.11 (<1.12) 2018-01-10 14:19:29 -06:00
Benjamin Hipple 1882e802e7 Fix Fedora 25 i386 RPM build 2018-01-04 19:44:32 -05:00
Benjamin Hipple 4cb5c51375 Fix RPM builds by increasing VM memory size
The VM was running out of RAM while handling debug symbols, which caused the
eu-strip to fail while separating debug symbols.
2018-01-02 23:39:42 -05:00
Eelco Dolstra 4801420893
Remove debug line 2017-12-25 14:53:15 +01:00
Eelco Dolstra 6d80870832
release.nix: Use fetchTarball and fetchGit
In particular, using fetchGit means we don't need hackery to clean the
source tree when building from an unclean tree.
2017-12-22 11:35:32 +01:00
Graham Christensen e4ece83b1a
tests.setuid: only on i686 and x86_64 linuxs 2017-12-12 08:31:31 -05:00
Eelco Dolstra 7f2c324ed1
Simplify build by including nlohmann/json.hpp 2017-12-04 17:11:36 +01:00
Eelco Dolstra 2f5789c5d6
Add dependencies for coverage test 2017-11-14 18:47:44 +01:00
Eelco Dolstra 4b45d8c95a
Update lcov filter 2017-11-14 18:47:37 +01:00
Eelco Dolstra c0d93a01ee
Remove ncurses-bin 2017-11-14 14:16:16 +01:00
Eelco Dolstra 4dee01da7c
fetchGit: Add a test 2017-11-03 13:55:30 +01:00
Eelco Dolstra 1969f357b7
Add fetchMercurial primop
E.g.

  $ nix eval '(fetchMercurial https://www.mercurial-scm.org/repo/hello)'
  { branch = "default"; outPath = "/nix/store/alvb9y1kfz42bjishqmyy3pphnrh1pfa-source"; rev = "82e55d328c8ca4ee16520036c0aaace03a5beb65"; revCount = 1; shortRev = "82e55d328c8c"; }

  $ nix eval '(fetchMercurial { url = https://www.mercurial-scm.org/repo/hello; rev = "0a04b987be5ae354b710cefeba0e2d9de7ad41a9"; })'
  { branch = "default"; outPath = "/nix/store/alvb9y1kfz42bjishqmyy3pphnrh1pfa-source"; rev = "0a04b987be5ae354b710cefeba0e2d9de7ad41a9"; revCount = 0; shortRev = "0a04b987be5a"; }

  $ nix eval '(fetchMercurial /tmp/unclean-hg-tree)'
  { branch = "default"; outPath = "/nix/store/cm750cdw1x8wfpm3jq7mz09r30l9r024-source"; rev = "0000000000000000000000000000000000000000"; revCount = 0; shortRev = "000000000000"; }
2017-11-01 17:45:32 +01:00
Jörg Thalheim e94fc238cf fixing bashisms in test code
This fixed the build on ubuntu/debian, where dash is the sh.
2017-10-06 06:12:33 -05:00
Eelco Dolstra 346aeee1cb
Remove Debian 8 and Ubuntu 14.10
These have a GCC (4.9) that is too old.

https://hydra.nixos.org/eval/1391740
2017-09-14 18:56:33 +02:00
Eelco Dolstra 4af2611bd1
Allow builders to create activities
Actually, currently they can only create download activities. Thus,
downloads by builtins.fetchurl show up in the progress bar.
2017-08-21 12:18:46 +02:00
Matthew Bauer 2c75945de5
Remove nix-mode.el from Nix.
This removes the file nix-mode.el from Nix. The file is now available within the
repository https://github.com/NixOS/nix-mode.

Fixes #662
Fixes #1040
Fixes #1054
Fixes #1055
Closes #1119
Fixes #1419

NOTE: all of the above should be fixed within NixOS/nix-mode. If one of those
hasn’t please reopen within NixOS/nix-mode and not within NixOS/nix.
2017-08-19 21:16:30 -07:00
Graham Christensen fb40d73e23
Switch to a fancy multi-user installer on Darwin 2017-07-14 12:10:44 -04:00
Graham Christensen a0ad8ba12e
Shellcheck the existing installer 2017-07-14 11:42:33 -04:00
Eelco Dolstra 38374a9d35
Tarball job: Include libseccomp on Linux only 2017-07-14 11:41:37 +02:00
Shea Levy 04ed11a978 Let hydra choose an alternate list of systems 2017-06-19 14:21:06 -04:00
Eelco Dolstra b4b1f4525f
Fix coverage job 2017-06-01 14:43:15 +02:00
Eelco Dolstra ab5834f7a1
RPM, Deb: Add dependency on libseccomp 2017-06-01 14:28:21 +02:00
Eelco Dolstra 1d9ab273ba
Add test for setuid seccomp filter 2017-05-29 16:14:10 +02:00
Eelco Dolstra 6cc6c15a2d
Add a seccomp filter to prevent creating setuid/setgid binaries
This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.

This is based on aszlig's seccomp code
(47f587700d).

Reported by Linus Heckemann.
2017-05-29 16:14:10 +02:00
Eelco Dolstra a2d92bb20e
Add --with-sandbox-shell configure flag
And add a 116 KiB ash shell from busybox to the release build. This
helps to make sandbox builds work out of the box on non-NixOS systems
and with diverted stores.
2017-05-15 17:36:32 +02:00
Eelco Dolstra c5f23f10a8
Replace readline by linenoise
Using linenoise avoids a license compatibility issue (#1356), is a lot
smaller and doesn't pull in ncurses.
2017-05-10 18:37:42 +02:00
Eelco Dolstra 44309c5067
Fix Ubuntu 16.10 build
http://hydra.nixos.org/build/52420073
2017-05-03 18:30:47 +02:00
Eelco Dolstra d3dcdfa006
Fix perlBindings.x86_64-darwin
http://hydra.nixos.org/build/52401151
2017-05-03 11:30:22 +02:00
Eelco Dolstra 73bba12d8b
Check for libreadline 2017-04-28 16:53:56 +02:00
Eelco Dolstra 921a2aeb05
Make "nix repl" build 2017-04-25 18:48:40 +02:00
Eelco Dolstra da76c72bc9
Build on aarch64-linux 2017-04-14 14:02:43 +02:00
Eelco Dolstra b134c2d052
Drop WWW::Curl dependency
Somehow this came back after d1da6967b8.
2017-04-11 15:41:50 +02:00
Eelco Dolstra b9b8b8a63b
Fix evaluation error 2017-03-31 15:54:15 +02:00
Eelco Dolstra c0745a2531
Merge branch 'remove-perl' of https://github.com/shlevy/nix 2017-03-31 14:13:32 +02:00
Shea Levy a75475ca61 Remove tabs 2017-03-30 16:51:50 -04:00
Eelco Dolstra e8186085e0
Add support for brotli compression
Build logs on cache.nixos.org are compressed using Brotli (since this
allows them to be decompressed automatically by Chrome and Firefox),
so it's handy if "nix log" can decompress them.
2017-03-15 16:49:06 +01:00
Shea Levy b667abc699 Add signing and s3 support on darwin 2017-03-05 07:39:10 -05:00
Eelco Dolstra fe2db1dae5
Doh 2017-02-22 15:39:17 +01:00
Eelco Dolstra b8ce649a35
Fix 32-bit RPM/Deb builds
http://hydra.nixos.org/build/49130529
2017-02-22 13:54:11 +01:00
Eelco Dolstra 1a57f499b0
Drop some Ubuntu releases 2017-02-21 15:20:40 +01:00
Eelco Dolstra b95ce3194d
Debian build: Use parallel make and add Ubuntu 16.10 2017-02-21 15:03:23 +01:00
Eelco Dolstra e4dd7dadf4
RPM build: Use parallel make 2017-02-21 14:52:36 +01:00
Eelco Dolstra bb6656b8a2
Build RPMs for Fedora 25
Disabled hardened build because it makes the linker fail with messages like

  relocation R_X86_64_PC32 against undefined symbol `BZ2_bzWriteOpen' can not be used when making a shared object; recompile with -fPIC

See https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
2017-02-21 14:26:23 +01:00
Shea Levy f7b7df8d1f Add nix-perl package for the perl bindings 2017-02-07 15:56:32 -05:00
Shea Levy 418a837897 Remove perl dependency.
Fixes #341
2017-02-07 15:56:32 -05:00
Eelco Dolstra 583ff4ec46
release.nix: Drop nix-shell references 2017-01-27 16:13:22 +01:00
Eelco Dolstra 3a4bd320c2
Revert "Merge branch 'seccomp' of https://github.com/aszlig/nix"
This reverts commit 9f3f2e21ed, reversing
changes made to 47f587700d.
2016-12-19 11:52:57 +01:00
Eelco Dolstra 9f3f2e21ed
Merge branch 'seccomp' of https://github.com/aszlig/nix 2016-12-15 12:04:45 +01:00
Eelco Dolstra d1da6967b8
Drop unused WWW::Curl dependency 2016-12-06 17:17:29 +01:00
aszlig 651a18dd24
release.nix: Add a test for sandboxing
Right now it only tests whether seccomp correctly forges the return
value of chown, but the long-term goal is to test the full sandboxing
functionality at some point in the future.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16 16:48:34 +01:00
aszlig 1c52e344c4
Add build dependency for libseccomp
We're going to use libseccomp instead of creating the raw BPF program,
because we have different syscall numbers on different architectures.

Although our initial seccomp rules will be quite small it really doesn't
make sense to generate the raw BPF program because we need to duplicate
it and/or make branches on every single architecture we want to suuport.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-11-16 16:48:26 +01:00
Eelco Dolstra 21c55ab3b5 Implement backwards-compatible RemoteStore::addToStore()
The SSHStore PR adds this functionality to the daemon, but we have to
handle the case where the Nix daemon is 1.11.

Also, don't require signatures for trusted users. This restores 1.11
behaviour.

Fixes https://github.com/NixOS/hydra/issues/398.
2016-11-09 18:45:06 +01:00
Eelco Dolstra dd85fc1c5a Drop Fedora 19/20 builds
These don't support regex_replace either.
2016-08-30 14:36:04 +02:00
Eelco Dolstra 042c060f78 Drop Ubuntu 13.10, 14.04 builds
These don't support regex_replace.

http://hydra.nixos.org/build/39363999
http://hydra.nixos.org/build/39363981
2016-08-30 13:26:08 +02:00
Eelco Dolstra 2fad86f361 Remove $NIX_DB_DIR
This variable has no reason to exist, given $NIX_STATE_DIR.
2016-08-10 18:05:35 +02:00
Eelco Dolstra 1b5b654fe2 Fix OOM in the installer test
http://hydra.nixos.org/build/36462209
2016-05-31 15:16:21 +02:00
Eelco Dolstra 0a9d627e50 Doh 2016-05-31 13:38:36 +02:00
Eelco Dolstra 88b79cd55c Fix Debian 8 build
http://hydra.nixos.org/build/36462150
2016-05-31 13:37:33 +02:00
Eelco Dolstra 10f3a2e5f2 Fix clang build failure
Apparently opinion is divided on whether [[noreturn]] is allowed on a
lambda: http://stackoverflow.com/questions/26888805/how-to-declare-a-lambdas-operator-as-noreturn

http://hydra.nixos.org/build/36462100
2016-05-31 13:23:54 +02:00
Eelco Dolstra 75d2492f20 Make the aws-cpp-sdk dependency optional 2016-05-04 17:16:48 +02:00
Eelco Dolstra 0f4dd4417e Merge pull request #892 from domenkozar/ubuntu1604
add Ubuntu 16.03 .deb builds
2016-05-02 15:36:58 +02:00
Domen Kožar bf386de9f2 add Ubuntu 16.03 .deb builds 2016-04-29 16:11:51 +01:00
Eelco Dolstra d155d80155 Move S3BinaryCacheStore from Hydra
This allows running arbitrary Nix commands against an S3 binary cache.

To do: make this a compile time option to prevent a dependency on
aws-sdk-cpp.
2016-04-21 16:08:51 +02:00
Eelco Dolstra 58e423ce32 Remove PDF manual
More spring cleaning.
2016-04-14 12:50:01 +02:00
Dan Peebles c89783b6a7 Kill the temporary darwin-specific channel
The issues have been resolved upstream in the main nixpkgs channel now
2016-03-28 20:06:46 -04:00
Eelco Dolstra 7251a81bde Drop all distros that are not down with C++11 2016-02-17 13:36:56 +01:00
Eelco Dolstra da4495eb17 Fix eval 2016-01-20 00:26:51 +01:00
Eelco Dolstra 9fff492561 Add tests for Nixpkgs/NixOS evaluation 2016-01-19 21:10:32 +01:00
Eelco Dolstra 4202b17666 Temporarily do Darwin builds from a different Nixpkgs branch 2016-01-08 10:48:48 +01:00
Eelco Dolstra 10a6aa3ad4 Revert accidental disable of doInstallCheck 2016-01-07 16:05:02 +01:00
Eelco Dolstra 458711e4ee Fix "Bad address" executing build hook
This was observed in the deb_debian7x86_64 build:
http://hydra.nixos.org/build/29973215

Calling c_str() on a temporary should be fine because the temporary
shouldn't be destroyed until after the execl() call, but who knows...
2016-01-07 15:10:14 +01:00
Jim Garrison b07b3b0264 Make Debian package depend on libcurl3-nss
Otherwise nix-env fails to start if it is not installed
2015-12-14 19:42:42 -08:00
Eelco Dolstra 399397c907 Fix coverage build 2015-12-10 11:47:34 +01:00
Eelco Dolstra efd6a8c9f6 Fix Ubuntu/Debian/Fedora builds 2015-11-25 16:12:30 +01:00
Eelco Dolstra 27d6ed5c68 Remove sandboxProfile from release.nix
There is really no conceivable reason why building Nix would need
access to the host's nix.conf. If it does, it's a bug, and we should
fix that instead.
2015-11-25 14:45:27 +01:00
Jude Taylor 279fa8f618 reintroduce host deps in tandem with sandbox profiles 2015-11-21 15:57:06 -08:00
Jude Taylor 4876bb012e simplify build permissions 2015-11-14 14:11:03 -08:00
Jude Taylor 22dfd023fa update sandbox profiles within nix 2015-11-14 14:11:03 -08:00
Eelco Dolstra b83fb35f79 Fix tarball build
Fixes #671.
2015-10-31 01:31:07 +01:00
Eelco Dolstra 1f735a3440 <nix/fetchurl.nix>: Support xz-compressed NARs 2015-10-30 12:34:30 +01:00
John Ericson a7dd26961d Don't depend on git when generating source tarball 2015-10-15 11:53:45 -07:00
John Ericson 164487a5ba Simplify source tarball postUnpack cleanupx 2015-10-15 11:42:24 -07:00
Vladimír Čunát fd74296e2f release: fix #652 - PDF build after dblatex updates
... while not changing behavior when used with older nixpkgs.
2015-09-25 12:48:35 +02:00
Eelco Dolstra 0d4d92fcf9 Debian package: Declare runtime dependency on libsodium13
Fixes #558.
2015-06-17 10:33:51 +02:00
Eelco Dolstra 898703e006 Build against libsodium on Ubuntu 15.04 and Debian 8 2015-06-02 13:14:31 +02:00
Benjamin Staffin 07c69aa03b Add Debian 8.0 builds
Change-Id: I68a54a0c3f97da2d062f43b638de817fd40f2dcd
2015-05-29 11:54:37 +02:00
Eelco Dolstra b2798902ea Build on Ubuntu 15.04 2015-05-22 13:32:03 +02:00
Eelco Dolstra be1ff23352 Add dependency on libcurl-dev
http://hydra.nixos.org/eval/1179370
2015-03-27 12:27:36 +01:00
Eelco Dolstra 5114a07d95 Improve setting the default chroot dirs 2015-03-24 11:57:46 +01:00
Eelco Dolstra fd89f97be9 Add the closure of store paths to the chroot
Thus, for example, to get /bin/sh in a chroot, you only need to
specify /bin/sh=${pkgs.bash}/bin/sh in build-chroot-dirs. The
dependencies of sh will be added automatically.
2015-03-24 11:52:34 +01:00
Eelco Dolstra b0bad3e615 Revert "Remove Fedora 18, 19 builds"
This reverts commit 9c58691ce3. Fedora
18/19 images should build again.
2015-02-12 17:44:29 +01:00
Eelco Dolstra b4e7eec16a Don't depend on libsodium on Darwin
It doesn't build at the moment.

http://hydra.nixos.org/build/19557641
2015-02-10 14:15:42 +01:00
Eelco Dolstra 5d9cd27dce Add Fedora 21 build
Fixes #467.
2015-02-10 11:33:33 +01:00
Eelco Dolstra e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Eelco Dolstra 20cf0127f5 Include cacert in the binary tarball
This prevents having to fetch Nixpkgs or cacert over http.
2014-12-10 16:05:08 +01:00
Eelco Dolstra 9c58691ce3 Remove Fedora 18, 19 builds
http://hydra.nixos.org/build/17703462
2014-12-08 18:01:18 +01:00
Eelco Dolstra b6f99e5a23 Remove some platforms with too-old compilers 2014-12-05 21:16:26 +01:00
Eelco Dolstra d4c8ee7059 Rely on XML catalogs to find the DocBook schemas and stylesheets 2014-11-25 15:54:26 +01:00
Eelco Dolstra fe37ed1219 Remove Hydra scheduling priorities
They're not so important anymore now that Hydra has jobset scheduling.
2014-11-20 13:26:10 +01:00