Age | Commit message (Collapse) | Author |
|
between the last worker read/write and the enabling of the signal
handler.
|
|
The problem is that when we kill the client while the worker is
building, and the builder is not writing anything to stderr, then
the worker never notice that the socket is closed on the other side,
so it just continues indefinitely. The solution is to catch SIGIO,
which is sent when the far side of the socket closes, and simulate
an normal interruption. Of course, SIGIO is also sent every time
the client sends data over the socket, so we only enable the signal
handler when we're not expecting any data...
|
|
client.
|
|
from interfering.
|
|
syncWithGC() to allow clients to register GC roots without needing
write access to the global roots directory or the GC lock.
|
|
|
|
* Help for nix-worker.
|
|
* addToStore now adds unconditionally, it doesn't use readOnlyMode.
Read-only operation is up to the caller (who can call
computeStorePathForPath).
|
|
|
|
* addToStore() and friends: don't do a round-trip to the worker if
we're only interested in the path (i.e., in read-only mode).
|
|
* Added new operation hasSubstitutes(), which is more efficient than
querySubstitutes().size() > 0.
|
|
|
|
|
|
mode. Presumably nix-worker would be setuid to the Nix store user.
The worker performs all operations on the Nix store and database, so
the caller can be completely unprivileged.
This is already much more secure than the old setuid scheme, since
the worker doesn't need to do Nix expression evaluation and so on.
Most importantly, this means that it doesn't need to access any user
files, with all resulting security risks; it only performs pure
store operations.
Once this works, it is easy to move to a daemon model that forks off
a worker for connections established through a Unix domain socket.
That would be even more secure.
|
|
* Some refactoring: put the NAR archive integer/string serialisation
code in a separate file so it can be reused by the worker protocol
implementation.
|