From 24542a7b9695398c4f0568797b313b18baf948ea Mon Sep 17 00:00:00 2001 From: Geoffrey Thomas Date: Sat, 12 Oct 2024 19:55:58 -0400 Subject: [PATCH 1/5] libstore: Make our sandbox pivot_root directory accessible to ourself If you have the Nix store mounted from a nonlocal filesystem whose exporter is not running as root, making the directory mode 000 makes it inaccessible to that remote unprivileged user and therefore breaks the build. (Specifically, I am running into this with a virtiofs mount using Apple Virtualization.framework as a non-root user, but I expect the same thing would happen with virtiofs in qemu on Linux as a non-root user or with various userspace network file servers.) Make the directory mode 500 (dr-x------) to make the sandbox work in this use case, which explicitly conveys our intention to read and search the directory. The code only works because root can already bypass directory checks, so this does not actually grant more permissions to the directory owner / does not make the sandbox less secure. (cherry picked from commit 5a794d93669a5abb4d151f4594264c38033650b1) --- src/libstore/unix/build/local-derivation-goal.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc index 2a09e3dd42d..ec938b07b2f 100644 --- a/src/libstore/unix/build/local-derivation-goal.cc +++ b/src/libstore/unix/build/local-derivation-goal.cc @@ -1966,7 +1966,7 @@ void LocalDerivationGoal::runChild() if (chdir(chrootRootDir.c_str()) == -1) throw SysError("cannot change directory to '%1%'", chrootRootDir); - if (mkdir("real-root", 0) == -1) + if (mkdir("real-root", 0500) == -1) throw SysError("cannot create real-root directory"); if (pivot_root(".", "real-root") == -1) From 9ee4a85a9951ca3905e3fcf43695ecf0cf721712 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Thu, 3 Oct 2024 01:17:33 +0200 Subject: [PATCH 2/5] doc/manual: Fix some broken fragments (cherry picked from commit 071ddbed57482db8fcbf303fe6754b2cca789e61) # Conflicts: # doc/manual/src/language/operators.md --- doc/manual/src/command-ref/nix-env.md | 2 +- doc/manual/src/language/derivations.md | 4 ++-- doc/manual/src/language/operators.md | 7 ++++++- doc/manual/src/release-notes/rl-2.23.md | 2 +- src/libcmd/installables.cc | 2 +- src/nix/shell.md | 2 +- 6 files changed, 12 insertions(+), 7 deletions(-) diff --git a/doc/manual/src/command-ref/nix-env.md b/doc/manual/src/command-ref/nix-env.md index c6f627365a5..bda02149ed0 100644 --- a/doc/manual/src/command-ref/nix-env.md +++ b/doc/manual/src/command-ref/nix-env.md @@ -62,7 +62,7 @@ These pages can be viewed offline: Several operations, such as [`nix-env --query`](./nix-env/query.md) and [`nix-env --install`](./nix-env/install.md), take a list of *arguments* that specify the packages on which to operate. -Packages are identified based on a `name` part and a `version` part of a [symbolic derivation name](@docroot@/language/derivations.md#attr-names): +Packages are identified based on a `name` part and a `version` part of a [symbolic derivation name](@docroot@/language/derivations.md#attr-name): - `name`: Everything up to but not including the first dash (`-`) that is *not* followed by a letter. - `version`: The rest, excluding the separating dash. diff --git a/doc/manual/src/language/derivations.md b/doc/manual/src/language/derivations.md index 8e3f0f79174..771b2bd9130 100644 --- a/doc/manual/src/language/derivations.md +++ b/doc/manual/src/language/derivations.md @@ -113,7 +113,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect ### Optional -- [`args`]{#attr-args} ([List](@docroot@/language/types.md#list) of [String](@docroot@/language/types.md#type-string)) +- [`args`]{#attr-args} ([List](@docroot@/language/types.md#type-list) of [String](@docroot@/language/types.md#type-string)) Default: `[ ]` @@ -132,7 +132,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect > }; > ``` -- [`outputs`]{#attr-outputs} ([List](@docroot@/language/types.md#list) of [String](@docroot@/language/types.md#type-string)) +- [`outputs`]{#attr-outputs} ([List](@docroot@/language/types.md#type-list) of [String](@docroot@/language/types.md#type-string)) Default: `[ "out" ]` diff --git a/doc/manual/src/language/operators.md b/doc/manual/src/language/operators.md index e1c020781c3..a041f124b60 100644 --- a/doc/manual/src/language/operators.md +++ b/doc/manual/src/language/operators.md @@ -32,8 +32,13 @@ [string]: ./types.md#type-string [path]: ./types.md#type-path [number]: ./types.md#type-float +<<<<<<< HEAD [list]: ./types.md#list [attribute set]: ./types.md#attribute-set +======= +[list]: ./types.md#type-list +[attribute set]: ./types.md#type-attrs +>>>>>>> 071ddbed5 (doc/manual: Fix some broken fragments) @@ -59,7 +64,7 @@ The result is a [Boolean] value. See also: [`builtins.hasAttr`](@docroot@/language/builtins.md#builtins-hasAttr) -[Boolean]: ./types.md#type-boolean +[Boolean]: ./types.md#type-bool [Has attribute]: #has-attribute diff --git a/doc/manual/src/release-notes/rl-2.23.md b/doc/manual/src/release-notes/rl-2.23.md index ac842fdc058..e2e09cc9544 100644 --- a/doc/manual/src/release-notes/rl-2.23.md +++ b/doc/manual/src/release-notes/rl-2.23.md @@ -96,7 +96,7 @@ Nix can now warn when evaluation of a Nix expression causes a large path to be copied to the Nix store. The threshold for this warning can be configured using [the `warn-large-path-threshold` - setting](@docroot@/command-ref/conf-file.md#warn-large-path-threshold), + setting](@docroot@/command-ref/conf-file.md#conf-warn-large-path-threshold), e.g. `--warn-large-path-threshold 100M` will warn about paths larger than 100 MiB. diff --git a/src/libcmd/installables.cc b/src/libcmd/installables.cc index 0fe956ec023..6feb6e0b836 100644 --- a/src/libcmd/installables.cc +++ b/src/libcmd/installables.cc @@ -86,7 +86,7 @@ MixFlakeOptions::MixFlakeOptions() > **DEPRECATED** > - > Use [`--no-use-registries`](#opt-no-use-registries) instead. + > Use [`--no-use-registries`](@docroot@/command-ref/conf-file.md#conf-use-registries) instead. )", .category = category, .handler = {[&]() { diff --git a/src/nix/shell.md b/src/nix/shell.md index 7c315fb3f02..677151a850d 100644 --- a/src/nix/shell.md +++ b/src/nix/shell.md @@ -48,7 +48,7 @@ R""( # Description `nix shell` runs a command in an environment in which the `$PATH` variable -provides the specified [*installables*](./nix.md#installable). If no command is specified, it starts the +provides the specified [*installables*](./nix.md#installables). If no command is specified, it starts the default shell of your user account specified by `$SHELL`. # Use as a `#!`-interpreter From 0e421e7a3541d41ed2d77840bd3c0708d522bd96 Mon Sep 17 00:00:00 2001 From: Kevin Cox Date: Mon, 30 Sep 2024 17:27:49 -0400 Subject: [PATCH 3/5] Improve documentation of `nix flake lock` The previous documentation was inaccurate, stating that it would not update existing inputs. However these inputs will be updated if they are outdated (for example the version of an existing input has been changed). The new text properly reflects this behaviour. (cherry picked from commit d2f627dda9bcbf887c5b6c68e637c1e18bb043e0) --- src/nix/flake-lock.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/nix/flake-lock.md b/src/nix/flake-lock.md index 6d10258e338..d13666a4c0d 100644 --- a/src/nix/flake-lock.md +++ b/src/nix/flake-lock.md @@ -30,9 +30,9 @@ R""( # Description -This command adds inputs to the lock file of a flake (`flake.lock`) -so that it contains a lock for every flake input specified in -`flake.nix`. Existing lock file entries are not updated. +This command updates the lock file of a flake (`flake.lock`) +so that it contains an up-to-date lock for every flake input specified in +`flake.nix`. Lock file entries are aready up-to-date are not modified. If you want to update existing lock entries, use [`nix flake update`](@docroot@/command-ref/new-cli/nix3-flake-update.md) From 792099081cf8645e226e3281c2cbfc0da3dcea43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 18 Sep 2024 15:39:08 +0200 Subject: [PATCH 4/5] add description + example for nix flake archive Update src/nix/flake-archive.md Update src/nix/flake-archive.md (cherry picked from commit f0a4f1908744fc9ad3e2ba3ff6c60cb2d65a56d3) --- src/nix/flake-archive.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/nix/flake-archive.md b/src/nix/flake-archive.md index 85bbeeb169c..18c735b1139 100644 --- a/src/nix/flake-archive.md +++ b/src/nix/flake-archive.md @@ -22,8 +22,20 @@ R""( # nix flake archive --json --dry-run nixops ``` +* Upload all flake inputs to a different machine for remote evaluation + + ``` + # nix flake archive --to ssh://some-machine + ``` + + On the remote machine the flake can then be accessed via its store path. That's computed like this: + + ``` + # nix flake metadata --json | jq -r '.path' + ``` + # Description -FIXME +Copy a flake and all its inputs to a store. This is useful i.e. to evaluate flakes on a different host. )"" From 93e8e5b3471d2c7eb8c158639b3772d0acf820ae Mon Sep 17 00:00:00 2001 From: quatquatt <78693624+quatquatt@users.noreply.github.com> Date: Tue, 17 Sep 2024 22:19:56 -0400 Subject: [PATCH 5/5] docs: Provide an example of updating multiple inputs with `nix flake update` docs: Provide an example of updating multiple inputs with `nix flake update` (cherry picked from commit 9e335ee3b9aa2897962be368e2325fbf4c529c88) --- src/nix/flake-update.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/nix/flake-update.md b/src/nix/flake-update.md index 63df3b12afe..8b0159ff745 100644 --- a/src/nix/flake-update.md +++ b/src/nix/flake-update.md @@ -25,6 +25,19 @@ R""( → 'github:NixOS/nixpkgs/a3a3dda3bacf61e8a39258a0ed9c924eeca8e293' (2023-07-05) ``` +* Update multiple inputs: + + ```console + # nix flake update nixpkgs nixpkgs-unstable + warning: updating lock file '/home/myself/repos/testflake/flake.lock': + • Updated input 'nixpkgs': + 'github:nixos/nixpkgs/8f7492cce28977fbf8bd12c72af08b1f6c7c3e49' (2024-09-14) + → 'github:nixos/nixpkgs/086b448a5d54fd117f4dc2dee55c9f0ff461bdc1' (2024-09-16) + • Updated input 'nixpkgs-unstable': + 'github:nixos/nixpkgs/345c263f2f53a3710abe117f28a5cb86d0ba4059' (2024-09-13) + → 'github:nixos/nixpkgs/99dc8785f6a0adac95f5e2ab05cc2e1bf666d172' (2024-09-16) + ``` + * Update only a single input of a flake in a different directory: ```console