summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2012-07-17 10:06:20 -0400
committerEelco Dolstra <eelco.dolstra@logicblox.com>2012-07-17 10:06:20 -0400
commit6c01fb4d68a80f63c692492bb91c1aa2e17b5a8f (patch)
tree23802fd802fd71223c63e0a612d10f788c577393
parent53b24f351852498c52377c2f011617af04bc76fa (diff)
downloadguix-6c01fb4d68a80f63c692492bb91c1aa2e17b5a8f.tar.gz
Update Nix 1.1 release notes
-rw-r--r--doc/manual/release-notes.xml75
-rw-r--r--src/libstore/build.cc3
2 files changed, 70 insertions, 8 deletions
diff --git a/doc/manual/release-notes.xml b/doc/manual/release-notes.xml
index 66ced1c9c4..69ab0874b6 100644
--- a/doc/manual/release-notes.xml
+++ b/doc/manual/release-notes.xml
@@ -15,25 +15,84 @@
 <itemizedlist>
 
   <listitem>
-    <para>Builds in chroots are now executed in a private network
-    namespace, meaning that they do not see any network interfaces
-    except a private loopback interface.  This ensures that builds
-    cannot communicate with processes outside of the chroot, or clash
-    with other builds by listening on an identical port number.</para>
+    <para>On Linux, when doing a chroot build, Nix now uses various
+    namespace features provided by the Linux kernel to improve
+    build isolation.  Namely:
+    <itemizedlist>
+      <listitem><para>The private network namespace ensures that
+      builders cannot talk to the outside world (or vice versa): each
+      build only sees a private loopback interface.  This also means
+      that two concurrent builds can listen on the same port (e.g. as
+      part of a test) without conflicting with each
+      other.</para></listitem>
+      <listitem><para>The PID namespace causes each build to start as
+      PID 1.  Processes outside of the chroot are not visible to those
+      on the inside.  On the other hand, processes inside the chroot
+      <emphasis>are</emphasis> visible from the outside (though with
+      different PIDs).</para></listitem>
+      <listitem><para>The IPC namespace prevents the builder from
+      communicating with outside processes using SysV IPC mechanisms
+      (shared memory, message queues, semaphores).  It also ensures
+      that all IPC objects are destroyed when the builder
+      exits.</para></listitem>
+      <listitem><para>The UTS namespace ensures that builders see a
+      hostname of <literal>localhost</literal> rather than the actual
+      hostname.</para></listitem>
+      <listitem><para>The private mount namespace was already used by
+      Nix to ensure that the bind-mounts used to set up the chroot are
+      cleaned up automatically.</para></listitem>
+    </itemizedlist>
+    </para>
   </listitem>
 
   <listitem>
     <para>Build logs are now compressed using
     <command>bzip2</command>.  The command <command>nix-store
-    -l</command> decompresses them on the fly.</para>
+    -l</command> decompresses them on the fly.  This can be disabled
+    by setting the option <literal>build-compress-log</literal> to
+    <literal>false</literal>.</para>
   </listitem>
 
   <listitem>
     <para>The creation of build logs in
     <filename>/nix/var/log/nix/drvs</filename> can be disabled by
     setting the new option <literal>build-keep-log</literal> to
-    <literal>false</literal>.</para>
-  </listitem>    
+    <literal>false</literal>.  This is useful, for instance, for Hydra
+    build machines.</para>
+  </listitem>
+
+  <listitem>
+    <para>Nix now reserves some space in
+    <filename>/nix/var/nix/db/reserved</filename> to ensure that the
+    garbage collector can run successfully if the disk is full.  This
+    is necessary because SQLite transactions fail if the disk is
+    full.</para>
+  </listitem>
+
+  <listitem>
+    <para>Added a basic <function>fetchurl</function> function.  This
+    is not intended to replace the <function>fetchurl</function> in
+    Nixpkgs, but is useful for bootstrapping; e.g., it will allow us
+    to get rid of the bootstrap binaries in the Nixpkgs source tree
+    and download them instead.  You can use it by doing
+    <literal>import &lt;nix/fetchurl.nix> { url =
+    <replaceable>url</replaceable>; sha256 =
+    "<replaceable>hash</replaceable>"; }</literal>. (Shea Levy)</para>
+  </listitem>
+
+  <listitem>
+    <para>Improved RPM spec file. (Michel Alexandre Salim)</para>
+  </listitem>
+
+  <listitem>
+    <para>Support for on-demand socket-based activation in the Nix
+    daemon with <command>systemd</command>.</para>
+  </listitem>
+
+  <listitem>
+    <para>Added a manpage for
+    <citerefentry><refentrytitle>nix.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+  </listitem>
 
 </itemizedlist>
 
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 8eb5dfa41b..12940e268c 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1796,6 +1796,9 @@ void DerivationGoal::startBuilder()
          with outside processes using SysV IPC mechanisms (shared
          memory, message queues, semaphores).  It also ensures that
          all IPC objects are destroyed when the builder exits.
+
+       - The UTS namespace ensures that builders see a hostname of
+         localhost rather than the actual hostname.
     */
 #if CHROOT_ENABLED
     if (useChroot) {