Merge branch 'nix'.

This is a squashed commit of the following: commit 0dccab9f417b406f5d4aedc81900fc7b2f16c9f6 Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Thu Jul 2 00:30:16 2015 +0200 Typo commit 2cd28517b13524c242c7758783b0b2d8250fdded Author: Ludovic Courtès <ludo@gnu.org> Date: Wed Jul 1 14:56:34 2015 +0200 Preserve supplementary groups of build users The following patch is an attempt to address this bug (see <http://bugs.gnu.org/18994>) by preserving the supplementary groups of build users in the build environment. In practice, I would expect that supplementary groups would contain only one or two groups: the build users group, and possibly the “kvm” group. [Changed &at(0) to data() and removed tabs - Eelco] commit 6e38685ef65284093df79ebe7378bac33b0e7e5d Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Tue Jun 30 21:41:26 2015 +0200 GC: Handle ENOSPC creating/moving to the trash directory Issue #564. commit 5e0a9ae2e25a1016389f4893a6ed6682aadcf51d Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Mon Jun 22 15:54:55 2015 +0200 Use posix_fallocate to create /nix/var/nix/db/reserved commit 4e5ab98d6d14f8b0e3bd1d77b2f4f2354e7a49a8 Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Mon Jun 22 15:47:40 2015 +0200 Make /nix/var/nix/db/reserved bigger Issue #564. commit 60bda60fc06135aa97a93301b1a9e2270768f5b3 Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Wed Jun 10 16:17:06 2015 +0200 Export outputPaths function This is useful for the new hydra-queue-runner. commit 5dfea34048aa8541f20aeb2fbcd163561b609a49 Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Thu Jul 2 22:51:33 2015 +0200 Use std::vector::data() commit 2459458bc8257734ca78cb7a2db3df20bd730ec0 Author: Eelco Dolstra <eelco.dolstra@logicblox.com> Date: Thu Jun 4 16:04:41 2015 +0200 Allow substitutes for builds that have preferLocalBuild set Not substituting builds with "preferLocalBuild = true" was a bad idea, because it didn't take the cost of dependencies into account. For instance, if we can't substitute a fetchgit call, then we have to download/build git and all its dependencies. Partially reverts 5558652709f27e8a887580b77b93c705659d7a4b and adds a new derivation attribute "allowSubstitutes" to specify whether a derivation may be substituted.
author: Ludovic Courtès <ludo@gnu.org> 2015-07-02 23:37:29 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2015-07-03 00:30:55 +0200
commit: 322eeb87d0e5bb608ae1c176611a50297c93cbe8 (patch)
tree: ecc0c32c8365b66021be9a26b77a084efc179be3 /nix/libstore/build.cc
parent: d2cef629fd5856540f6e1edf8f9d2131ec7a6942 (diff)
download: guix-322eeb87d0e5bb608ae1c176611a50297c93cbe8.tar.gz
1 files changed, 35 insertions, 27 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 85a818ba94..a9eedcef16 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -447,6 +447,7 @@ private:
     string user;
     uid_t uid;
     gid_t gid;
+    std::vector<gid_t> supplementaryGIDs;
 
 public:
     UserLock();
@@ -460,6 +461,7 @@ public:
     string getUser() { return user; }
     uid_t getUID() { return uid; }
     uid_t getGID() { return gid; }
+    std::vector<gid_t> getSupplementaryGIDs() { return supplementaryGIDs; }
 
     bool enabled() { return uid != 0; }
 
@@ -539,6 +541,17 @@ void UserLock::acquire()
                 throw Error(format("the Nix user should not be a member of `%1%'")
                     % settings.buildUsersGroup);
 
+            /* Get the list of supplementary groups of this build user.  This
+               is usually either empty or contains a group such as "kvm".  */
+            supplementaryGIDs.resize(10);
+            int ngroups = supplementaryGIDs.size();
+            int err = getgrouplist(pw->pw_name, pw->pw_gid,
+                supplementaryGIDs.data(), &ngroups);
+            if (err == -1)
+                throw Error(format("failed to get list of supplementary groups for ‘%1%’") % pw->pw_name);
+
+            supplementaryGIDs.resize(ngroups);
+
             return;
         }
     }
@@ -1000,7 +1013,7 @@ void DerivationGoal::haveDerivation()
     /* We are first going to try to create the invalid output paths
        through substitutes.  If that doesn't work, we'll build
        them. */
-    if (settings.useSubstitutes && !willBuildLocally(drv))
+    if (settings.useSubstitutes && substitutesAllowed(drv))
         foreach (PathSet::iterator, i, invalidOutputs)
             addWaitee(worker.makeSubstitutionGoal(*i, buildMode == bmRepair));
 
@@ -1188,35 +1201,32 @@ void DerivationGoal::inputsRealised()
 }
 
 
-PathSet outputPaths(const DerivationOutputs & outputs)
+static bool canBuildLocally(const string & platform)
 {
-    PathSet paths;
-    foreach (DerivationOutputs::const_iterator, i, outputs)
-        paths.insert(i->second.path);
-    return paths;
+    return platform == settings.thisSystem
+#if __linux__
+        || (platform == "i686-linux" && settings.thisSystem == "x86_64-linux")
+#endif
+        ;
 }
 
 
-static string get(const StringPairs & map, const string & key)
+static string get(const StringPairs & map, const string & key, const string & def = "")
 {
     StringPairs::const_iterator i = map.find(key);
-    return i == map.end() ? (string) "" : i->second;
+    return i == map.end() ? def : i->second;
 }
 
 
-static bool canBuildLocally(const string & platform)
+bool willBuildLocally(const Derivation & drv)
 {
-    return platform == settings.thisSystem
-#if __linux__
-        || (platform == "i686-linux" && settings.thisSystem == "x86_64-linux")
-#endif
-        ;
+    return get(drv.env, "preferLocalBuild") == "1" && canBuildLocally(drv.platform);
 }
 
 
-bool willBuildLocally(const Derivation & drv)
+bool substitutesAllowed(const Derivation & drv)
 {
-    return get(drv.env, "preferLocalBuild") == "1" && canBuildLocally(drv.platform);
+    return get(drv.env, "allowSubstitutes", "1") == "1";
 }
 
 
@@ -1242,7 +1252,7 @@ void DerivationGoal::tryToBuild()
        can't acquire the lock, then continue; hopefully some other
        goal can start a build, and if not, the main loop will sleep a
        few seconds and then retry this goal. */
-    if (!outputLocks.lockPaths(outputPaths(drv.outputs), "", false)) {
+    if (!outputLocks.lockPaths(outputPaths(drv), "", false)) {
         worker.waitForAWhile(shared_from_this());
         return;
     }
@@ -1263,7 +1273,7 @@ void DerivationGoal::tryToBuild()
         return;
     }
 
-    missingPaths = outputPaths(drv.outputs);
+    missingPaths = outputPaths(drv);
     if (buildMode != bmCheck)
         foreach (PathSet::iterator, i, validPaths) missingPaths.erase(*i);
 
@@ -2168,7 +2178,6 @@ void DerivationGoal::runChild()
         Strings envStrs;
         foreach (Environment::const_iterator, i, env)
             envStrs.push_back(rewriteHashes(i->first + "=" + i->second, rewritesToTmp));
-        auto envArr = stringsToCharPtrs(envStrs);
 
         /* If we are running in `build-users' mode, then switch to the
            user we allocated above.  Make sure that we drop all root
@@ -2177,10 +2186,11 @@ void DerivationGoal::runChild()
            setuid() when run as root sets the real, effective and
            saved UIDs. */
         if (buildUser.enabled()) {
-            printMsg(lvlChatty, format("switching to user `%1%'") % buildUser.getUser());
-
-            if (setgroups(0, 0) == -1)
-                throw SysError("cannot clear the set of supplementary groups");
+            /* Preserve supplementary groups of the build user, to allow
+               admins to specify groups such as "kvm".  */
+            if (setgroups(buildUser.getSupplementaryGIDs().size(),
+                          buildUser.getSupplementaryGIDs().data()) == -1)
+                throw SysError("cannot set supplementary groups of build user");
 
             if (setgid(buildUser.getGID()) == -1 ||
                 getgid() != buildUser.getGID() ||
@@ -2199,7 +2209,6 @@ void DerivationGoal::runChild()
         args.push_back(builderBasename);
         foreach (Strings::iterator, i, drv.args)
             args.push_back(rewriteHashes(*i, rewritesToTmp));
-        auto argArr = stringsToCharPtrs(args);
 
         restoreSIGPIPE();
 
@@ -2207,7 +2216,7 @@ void DerivationGoal::runChild()
         writeFull(STDERR_FILENO, "\n");
 
         /* Execute the program.  This should not return. */
-        execve(drv.builder.c_str(), (char * *) &argArr[0], (char * *) &envArr[0]);
+        execve(drv.builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
 
         throw SysError(format("executing `%1%'") % drv.builder);
 
@@ -2837,7 +2846,6 @@ void SubstitutionGoal::tryToRun()
     args.push_back("--substitute");
     args.push_back(storePath);
     args.push_back(destPath);
-    auto argArr = stringsToCharPtrs(args);
 
     /* Fork the substitute program. */
     pid = startProcess([&]() {
@@ -2847,7 +2855,7 @@ void SubstitutionGoal::tryToRun()
         if (dup2(outPipe.writeSide, STDOUT_FILENO) == -1)
             throw SysError("cannot dup output pipe into stdout");
 
-        execv(sub.c_str(), (char * *) &argArr[0]);
+        execv(sub.c_str(), stringsToCharPtrs(args).data());
 
         throw SysError(format("executing `%1%'") % sub);
     });
author	Ludovic Courtès <ludo@gnu.org>	2015-07-02 23:37:29 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2015-07-03 00:30:55 +0200
commit	322eeb87d0e5bb608ae1c176611a50297c93cbe8 (patch)
tree	ecc0c32c8365b66021be9a26b77a084efc179be3 /nix/libstore/build.cc
parent	d2cef629fd5856540f6e1edf8f9d2131ec7a6942 (diff)
download	guix-322eeb87d0e5bb608ae1c176611a50297c93cbe8.tar.gz