summary refs log tree commit diff
path: root/src/nix-worker
AgeCommit message (Collapse)Author
2007-09-18* Pass various options to the worker so that flags like -K or -j workEelco Dolstra
in multi-user Nix (NIX-72). * Client/worker: exchange a protocol version number for future compatibility.
2007-08-30* Create the Nix daemon socket in a separate directoryEelco Dolstra
(/nix/var/nix/daemon-socket). This allows access to the Nix daemon to be restricted by setting the mode/ownership on that directory as desired, e.g. $ chmod 770 /nix/var/nix/daemon-socket $ chown root.wheel /nix/var/nix/daemon-socket to allow only users in the wheel group to use Nix. Setting the ownership on a socket is much trickier, since the socket must be deleted and recreated every time the daemon is started (which would require additional Nix configuration file directives to specify the mode/ownership, and wouldn't support arbitrary ACLs), some BSD variants appear to ignore permissions on sockets, and it's not clear whether the umask is respected on every platform when creating sockets.
2007-06-12* Support queryDeriver() in multi-user installations.Eelco Dolstra
2007-03-28* Handle ECONNRESET from the client. Also, don't abort() if there areEelco Dolstra
unexpected conditions in the SIGPOLL handler, since that messes up the Berkeley DB environment (which a client must never be able to trigger).
2007-02-22* Handle EINTR in select().Eelco Dolstra
2007-02-21* `nix-store --import' now also works in remote mode. The workerEelco Dolstra
always requires a signature on the archive. This is to ensure that unprivileged users cannot add Trojan horses to the Nix store.
2007-02-21* Support exportPath() in remote mode.Eelco Dolstra
2006-12-12* New primop builtins.filterSource, which can be used to filter filesEelco Dolstra
from a source directory. All files for which a predicate function returns true are copied to the store. Typical example is to leave out the .svn directory: stdenv.mkDerivation { ... src = builtins.filterSource (path: baseNameOf (toString path) != ".svn") ./source-dir; # as opposed to # src = ./source-dir; } This is important because the .svn directory influences the hash in a rather unpredictable and variable way.
2006-12-07* Doh!Eelco Dolstra
2006-12-07* Rename all those main.cc files.Eelco Dolstra
2006-12-06* Fix the safety check.Eelco Dolstra
2006-12-05* Tricky: child processes should not send data to the client sinceEelco Dolstra
that might mess up the protocol. And besides, the socket file descriptor is probably closed.
2006-12-05* Oops! In daemon mode, we can't run as root either if build-users is empty.Eelco Dolstra
2006-12-05* Use an explicit handler for SIGCHLD, since SIG_IGN doesn't do the Eelco Dolstra
right thing on FreeBSD 4 (it leaves zombies).
2006-12-05* Ugly hack to handle spurious SIGPOLLs.Eelco Dolstra
2006-12-05* Some renaming.Eelco Dolstra
2006-12-05* Allow unprivileged users to run the garbage collector and to doEelco Dolstra
`nix-store --delete'. But unprivileged users are not allowed to ignore liveness. * `nix-store --delete --ignore-liveness': ignore the runtime roots as well.
2006-12-05* The determination of the root set should be made by the privilegedEelco Dolstra
process, so forward the operation. * Spam the user about GC misconfigurations (NIX-71). * findRoots: skip all roots that are unreadable - the warnings with which we spam the user should be enough.
2006-12-04* Add indirect root registration to the protocol so that unprivilegedEelco Dolstra
processes can register indirect roots. Of course, there is still the problem that the garbage collector can only read the targets of the indirect roots when it's running as root...
2006-12-04* Not every OS knows about SIGPOLL.Eelco Dolstra
2006-12-04* Handle exceptions and stderr for all protocol functions.Eelco Dolstra
* SIGIO -> SIGPOLL (POSIX calls it that). * Use sigaction instead of signal to register the SIGPOLL handler. Sigaction is better defined, and a handler registered with signal appears not to interrupt fcntl(..., F_SETLKW, ...), which is bad.
2006-12-04* Daemon mode (`nix-worker --daemon'). Clients connect to the serverEelco Dolstra
via the Unix domain socket in /nix/var/nix/daemon.socket. The server forks a worker process per connection. * readString(): use the heap, not the stack. * Some protocol fixes.
2006-12-04* Install the worker in bindir, not libexecdir.Eelco Dolstra
* Allow the worker path to be overriden through the NIX_WORKER environment variable.
2006-12-03* Don't run setuid root when build-users is empty.Eelco Dolstra
* Send startup errors to the client.
2006-12-03* Handle a subtle race condition: the client closing the socketEelco Dolstra
between the last worker read/write and the enabling of the signal handler.
2006-12-03* Some hardcore magic to handle asynchronous client disconnects.Eelco Dolstra
The problem is that when we kill the client while the worker is building, and the builder is not writing anything to stderr, then the worker never notice that the socket is closed on the other side, so it just continues indefinitely. The solution is to catch SIGIO, which is sent when the far side of the socket closes, and simulate an normal interruption. Of course, SIGIO is also sent every time the client sends data over the socket, so we only enable the signal handler when we're not expecting any data...
2006-12-03* Some hackery to propagate the worker's stderr and exceptions to theEelco Dolstra
client.
2006-12-03* Run the worker in a separate session to prevent terminal signalsEelco Dolstra
from interfering.
2006-12-02* Move addTempRoot() to the store API, and add another functionEelco Dolstra
syncWithGC() to allow clients to register GC roots without needing write access to the global roots directory or the GC lock.
2006-12-02* Doh.Eelco Dolstra
2006-12-02* Remove queryPathHash().Eelco Dolstra
* Help for nix-worker.
2006-12-01* Merge addToStore and addToStoreFixed.Eelco Dolstra
* addToStore now adds unconditionally, it doesn't use readOnlyMode. Read-only operation is up to the caller (who can call computeStorePathForPath).
2006-12-01* Right name.Eelco Dolstra
2006-12-01* More operations.Eelco Dolstra
* addToStore() and friends: don't do a round-trip to the worker if we're only interested in the path (i.e., in read-only mode).
2006-11-30* More remote operations.Eelco Dolstra
* Added new operation hasSubstitutes(), which is more efficient than querySubstitutes().size() > 0.
2006-11-30* More operations.Eelco Dolstra
2006-11-30* First remote operation: isValidPath().Eelco Dolstra
2006-11-30* When NIX_REMOTE is set to "slave", fork off nix-worker in slaveEelco Dolstra
mode. Presumably nix-worker would be setuid to the Nix store user. The worker performs all operations on the Nix store and database, so the caller can be completely unprivileged. This is already much more secure than the old setuid scheme, since the worker doesn't need to do Nix expression evaluation and so on. Most importantly, this means that it doesn't need to access any user files, with all resulting security risks; it only performs pure store operations. Once this works, it is easy to move to a daemon model that forks off a worker for connections established through a Unix domain socket. That would be even more secure.
2006-11-30* Skeleton of the privileged worker program.Eelco Dolstra
* Some refactoring: put the NAR archive integer/string serialisation code in a separate file so it can be reused by the worker protocol implementation.