diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-17 10:06:20 -0400 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-17 10:06:20 -0400 |
commit | 6c01fb4d68a80f63c692492bb91c1aa2e17b5a8f (patch) | |
tree | 23802fd802fd71223c63e0a612d10f788c577393 | |
parent | 53b24f351852498c52377c2f011617af04bc76fa (diff) | |
download | guix-6c01fb4d68a80f63c692492bb91c1aa2e17b5a8f.tar.gz |
Update Nix 1.1 release notes
-rw-r--r-- | doc/manual/release-notes.xml | 75 | ||||
-rw-r--r-- | src/libstore/build.cc | 3 |
2 files changed, 70 insertions, 8 deletions
diff --git a/doc/manual/release-notes.xml b/doc/manual/release-notes.xml index 66ced1c9c4..69ab0874b6 100644 --- a/doc/manual/release-notes.xml +++ b/doc/manual/release-notes.xml @@ -15,25 +15,84 @@ <itemizedlist> <listitem> - <para>Builds in chroots are now executed in a private network - namespace, meaning that they do not see any network interfaces - except a private loopback interface. This ensures that builds - cannot communicate with processes outside of the chroot, or clash - with other builds by listening on an identical port number.</para> + <para>On Linux, when doing a chroot build, Nix now uses various + namespace features provided by the Linux kernel to improve + build isolation. Namely: + <itemizedlist> + <listitem><para>The private network namespace ensures that + builders cannot talk to the outside world (or vice versa): each + build only sees a private loopback interface. This also means + that two concurrent builds can listen on the same port (e.g. as + part of a test) without conflicting with each + other.</para></listitem> + <listitem><para>The PID namespace causes each build to start as + PID 1. Processes outside of the chroot are not visible to those + on the inside. On the other hand, processes inside the chroot + <emphasis>are</emphasis> visible from the outside (though with + different PIDs).</para></listitem> + <listitem><para>The IPC namespace prevents the builder from + communicating with outside processes using SysV IPC mechanisms + (shared memory, message queues, semaphores). It also ensures + that all IPC objects are destroyed when the builder + exits.</para></listitem> + <listitem><para>The UTS namespace ensures that builders see a + hostname of <literal>localhost</literal> rather than the actual + hostname.</para></listitem> + <listitem><para>The private mount namespace was already used by + Nix to ensure that the bind-mounts used to set up the chroot are + cleaned up automatically.</para></listitem> + </itemizedlist> + </para> </listitem> <listitem> <para>Build logs are now compressed using <command>bzip2</command>. The command <command>nix-store - -l</command> decompresses them on the fly.</para> + -l</command> decompresses them on the fly. This can be disabled + by setting the option <literal>build-compress-log</literal> to + <literal>false</literal>.</para> </listitem> <listitem> <para>The creation of build logs in <filename>/nix/var/log/nix/drvs</filename> can be disabled by setting the new option <literal>build-keep-log</literal> to - <literal>false</literal>.</para> - </listitem> + <literal>false</literal>. This is useful, for instance, for Hydra + build machines.</para> + </listitem> + + <listitem> + <para>Nix now reserves some space in + <filename>/nix/var/nix/db/reserved</filename> to ensure that the + garbage collector can run successfully if the disk is full. This + is necessary because SQLite transactions fail if the disk is + full.</para> + </listitem> + + <listitem> + <para>Added a basic <function>fetchurl</function> function. This + is not intended to replace the <function>fetchurl</function> in + Nixpkgs, but is useful for bootstrapping; e.g., it will allow us + to get rid of the bootstrap binaries in the Nixpkgs source tree + and download them instead. You can use it by doing + <literal>import <nix/fetchurl.nix> { url = + <replaceable>url</replaceable>; sha256 = + "<replaceable>hash</replaceable>"; }</literal>. (Shea Levy)</para> + </listitem> + + <listitem> + <para>Improved RPM spec file. (Michel Alexandre Salim)</para> + </listitem> + + <listitem> + <para>Support for on-demand socket-based activation in the Nix + daemon with <command>systemd</command>.</para> + </listitem> + + <listitem> + <para>Added a manpage for + <citerefentry><refentrytitle>nix.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + </listitem> </itemizedlist> diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 8eb5dfa41b..12940e268c 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1796,6 +1796,9 @@ void DerivationGoal::startBuilder() with outside processes using SysV IPC mechanisms (shared memory, message queues, semaphores). It also ensures that all IPC objects are destroyed when the builder exits. + + - The UTS namespace ensures that builders see a hostname of + localhost rather than the actual hostname. */ #if CHROOT_ENABLED if (useChroot) { |