[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
20/27: Use chroots for all derivations
|
From: |
Ludovic Courtès |
|
Subject: |
20/27: Use chroots for all derivations |
|
Date: |
Wed, 03 Jun 2015 22:00:44 +0000 |
civodul pushed a commit to branch nix
in repository guix.
commit 67af480244250409c8cf41e66a4995258b8ccc9b
Author: Eelco Dolstra <address@hidden>
Date: Mon Feb 23 15:41:41 2015 +0100
Use chroots for all derivations
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are
now also chrooted. However, unlike normal derivations, they don't get
a private network namespace, so they can still access the
network. Also, the use of the ‘__noChroot’ derivation attribute is
no longer allowed.
Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
Note for Guix: unlike Nix commit 99897f6, we keep 'settings.useChroot'.
---
nix/libstore/build.cc | 38 +++++++++++++++++++++-----------------
1 files changed, 21 insertions(+), 17 deletions(-)
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 6276937..7153c85 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1752,19 +1752,8 @@ void DerivationGoal::startBuilder()
throw SysError(format("cannot change ownership of '%1%'") %
tmpDir);
}
-
- /* Are we doing a chroot build? Note that fixed-output
- derivations are never done in a chroot, mainly so that
- functions like fetchurl (which needs a proper /etc/resolv.conf)
- work properly. Purity checking for fixed-output derivations
- is somewhat pointless anyway. */
useChroot = settings.useChroot;
- if (fixedOutput) useChroot = false;
-
- /* Hack to allow derivations to disable chroot builds. */
- if (get(drv.env, "__noChroot") == "1") useChroot = false;
-
if (useChroot) {
#if CHROOT_ENABLED
/* Create a temporary directory in which we set up the chroot
@@ -1805,7 +1794,8 @@ void DerivationGoal::startBuilder()
% (buildUser.enabled() ? buildUser.getGID() :
getgid())).str());
/* Create /etc/hosts with localhost entry. */
- writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n");
+ if (!fixedOutput)
+ writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n");
/* Bind-mount a user-configurable set of directories from the
host file system. */
@@ -1938,9 +1928,12 @@ void DerivationGoal::startBuilder()
*/
#if CHROOT_ENABLED
if (useChroot) {
- char stack[32 * 1024];
- pid = clone(childEntry, stack + sizeof(stack) - 8,
- CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWIPC |
CLONE_NEWUTS | SIGCHLD, this);
+ char stack[32 * 1024];
+ int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS |
SIGCHLD;
+ if (!fixedOutput) flags |= CLONE_NEWNET;
+ pid = clone(childEntry, stack + sizeof(stack) - 8, flags, this);
+ if (pid == -1)
+ throw SysError("cloning builder process");
} else
#endif
{
@@ -2026,10 +2019,10 @@ void DerivationGoal::runChild()
/* Set up a nearly empty /dev, unless the user asked to
bind-mount the host /dev. */
+ Strings ss;
if (dirsInChroot.find("/dev") == dirsInChroot.end()) {
createDirs(chrootRootDir + "/dev/shm");
createDirs(chrootRootDir + "/dev/pts");
- Strings ss;
ss.push_back("/dev/full");
#ifdef __linux__
if (pathExists("/dev/kvm"))
@@ -2040,13 +2033,24 @@ void DerivationGoal::runChild()
ss.push_back("/dev/tty");
ss.push_back("/dev/urandom");
ss.push_back("/dev/zero");
- foreach (Strings::iterator, i, ss) dirsInChroot[*i] = *i;
createSymlink("/proc/self/fd", chrootRootDir + "/dev/fd");
createSymlink("/proc/self/fd/0", chrootRootDir + "/dev/stdin");
createSymlink("/proc/self/fd/1", chrootRootDir +
"/dev/stdout");
createSymlink("/proc/self/fd/2", chrootRootDir +
"/dev/stderr");
}
+ /* Fixed-output derivations typically need to access the
+ network, so give them access to /etc/resolv.conf and so
+ on. */
+ if (fixedOutput) {
+ ss.push_back("/etc/resolv.conf");
+ ss.push_back("/etc/nsswitch.conf");
+ ss.push_back("/etc/services");
+ ss.push_back("/etc/hosts");
+ }
+
+ for (auto & i : ss) dirsInChroot[i] = i;
+
/* Bind-mount all the directories from the "host"
filesystem that we want in the chroot
environment. */
- 12/27: libutil: Improve errmsg on readLink size mismatch., (continued)
- 12/27: libutil: Improve errmsg on readLink size mismatch., Ludovic Courtès, 2015/06/03
- 13/27: libutil: Limit readLink() error to only overflows., Ludovic Courtès, 2015/06/03
- 11/27: Pedantry, Ludovic Courtès, 2015/06/03
- 14/27: Set /nix/store permission to 1737, Ludovic Courtès, 2015/06/03
- 16/27: Doh^2, Ludovic Courtès, 2015/06/03
- 17/27: Simplify printHash32, Ludovic Courtès, 2015/06/03
- 18/27: Simplify parseHash32, Ludovic Courtès, 2015/06/03
- 19/27: Use pivot_root in addition to chroot when possible, Ludovic Courtès, 2015/06/03
- 15/27: Doh, Ludovic Courtès, 2015/06/03
- 22/27: Tighten permissions on chroot directories, Ludovic Courtès, 2015/06/03
- 20/27: Use chroots for all derivations,
Ludovic Courtès <=
- 25/27: Revert /nix/store permission back to 01775, Ludovic Courtès, 2015/06/03
- 21/27: Fix typos: s/the the/the/, Ludovic Courtès, 2015/06/03
- 24/27: Chroot builds: Provide world-readable /nix/store, Ludovic Courtès, 2015/06/03
- 23/27: addToStore(): Take explicit name argument, Ludovic Courtès, 2015/06/03
- 27/27: Don't let unprivileged users repair paths, Ludovic Courtès, 2015/06/03
- 26/27: Add a ‘verifyStore’ RPC, Ludovic Courtès, 2015/06/03