Merge pull request #3600 from NixOS/auto-uid-allocation

Automatic UID allocation

doc/manual/src/release-notes/rl-next.md

@@ -10,3 +10,45 @@
   This avoids a lot of spurious errors where some benign strings end-up having
   a context just because they are read from a store path
   ([#7260](https://github.com/NixOS/nix/pull/7260)).
+
+* Nix can now automatically pick UIDs for builds, removing the need to
+  create `nixbld*` user accounts. These UIDs are allocated starting at
+  872415232 (0x34000000) on Linux and 56930 on macOS.
+
+  This is an experimental feature. To enable it, add the following to
+  `nix.conf`:
+
+  ```
+  extra-experimental-features = auto-allocate-uids
+  auto-allocate-uids = true
+  ```
+
+* On Linux, Nix can now run builds in a user namespace where the build
+  runs as root (UID 0) and has 65,536 UIDs available. This is
+  primarily useful for running containers such as `systemd-nspawn`
+  inside a Nix build. For an example, see
+  https://github.com/NixOS/nix/blob/67bcb99700a0da1395fa063d7c6586740b304598/tests/systemd-nspawn.nix.
+
+  A build can enable this by requiring the `uid-range` system feature,
+  i.e. by setting the derivation attribute
+
+  ```
+  requiredSystemFeatures = [ "uid-range" ];
+  ```
+
+  The `uid-range` system feature requires the `auto-allocate-uids`
+  setting to be enabled (see above).
+
+* On Linux, Nix has experimental support for running builds inside a
+  cgroup. It can be enabled by adding
+
+  ```
+  extra-experimental-features = cgroups
+  use-cgroups = true
+  ```
+
+  to `nix.conf`. Cgroups are required for derivations that require the
+  `uid-range` system feature.
+
+* `nix build --json` now prints some statistics about top-level
+  derivations, such as CPU statistics when cgroups are enabled.

flake.nix

@@ -506,6 +506,12 @@
           overlay = self.overlays.default;
         });
 
+        tests.containers = (import ./tests/containers.nix rec {
+          system = "x86_64-linux";
+          inherit nixpkgs;
+          overlay = self.overlays.default;
+        });
+
         tests.setuid = nixpkgs.lib.genAttrs
           ["i686-linux" "x86_64-linux"]
           (system:

src/libcmd/installables.cc

@@ -931,7 +931,7 @@ std::vector<std::pair<std::shared_ptr<Installable>, BuiltPathWithResult>> Instal
 
     case Realise::Outputs: {
         if (settings.printMissing)
-          printMissing(store, pathsToBuild, lvlInfo);
+            printMissing(store, pathsToBuild, lvlInfo);
 
         for (auto & buildResult : store->buildPathsWithResults(pathsToBuild, bMode, evalStore)) {
             if (!buildResult.success())

src/libstore/build-result.hh

@@ -5,7 +5,7 @@
 
 #include <string>
 #include <chrono>
-
+#include <optional>
 
 namespace nix {
 
@@ -78,6 +78,9 @@ struct BuildResult
        was repeated). */
     time_t startTime = 0, stopTime = 0;
 
+    /* User and system CPU time the build took. */
+    std::optional<std::chrono::microseconds> cpuUser, cpuSystem;
+
     bool success()
     {
         return status == Built || status == Substituted || status == AlreadyValid || status == ResolvesToAlreadyValid;

src/libstore/build/derivation-goal.cc

@@ -886,6 +886,14 @@ void DerivationGoal::buildDone()
 
     cleanupPostChildKill();
 
+    if (buildResult.cpuUser && buildResult.cpuSystem) {
+        debug("builder for '%s' terminated with status %d, user CPU %.3fs, system CPU %.3fs",
+            worker.store.printStorePath(drvPath),
+            status,
+            ((double) buildResult.cpuUser->count()) / 1000000,
+            ((double) buildResult.cpuSystem->count()) / 1000000);
+    }
+
     bool diskFull = false;
 
     try {