Commit Graph

1955 Commits

Author SHA1 Message Date
Maarten Hoogendoorn
e809667b17 vmTools.runInLinuxImage: add virtio_rng device
This allows the QEMU VM's to use the /dev/random device, by
getting entropy from the host.
2016-07-31 12:39:19 +02:00
Franz Pletz
7e8b3adb04 fetchpatch: add addPrefixes argument
Sometimes patches start without a leading prefix. We default to strip
one prefix or path component from patches (-p1) in the patchPhase in
stdenv.

As all patches should therefore be in this format, fetchpatch should
have an option to normalize patch paths. This commit introduces a new
argument to fetchpatch called addPrefixes that adds one patch prefix to
the old and new paths in a patch before putting it into the store.
2016-07-29 12:03:08 +02:00
Alexey Shmalko
bb3fc68b30
antBuild: run default hooks
Fixes https://github.com/NixOS/nixpkgs/issues/10931.
antBuild overrides buildPhase and installPhase without calling default
hooks.
2016-07-26 02:02:42 +03:00
Franz Pletz
1109b236cf Merge pull request #16660 from nathan7/tarsum
dockerTools: disable compression in tarsum.go
2016-07-19 10:18:41 +02:00
Renzo Carbonara
e54ec2f907 fetchMavenArtifact: init (#16825)
fetchMavenArtifact downloads a Maven artifact given a group id, an artifact id,
and a version.

Example usage:

   org_apache_httpcomponents_httpclient_4_5_2 = fetchMavenArtifact {
     groupId = "org.apache.httpcomponents";
     artifactId = "httpclient";
     version = "4.5.2";
     sha256 = "0ms00zc28pwqk83nwwbafhq6p8zci9mrjzbqalpn6v0d80hwdzqd";
     # Optionally: repos = [ ... urls to some Maven repos to use ... ];
     # Optionally: url, urls - pointing directly to a specific jar url.
   };

Now `org_apache_httpcomponents_httpclient_4_5_2.jar` points to the downloaded
JAR file, while `org_apache_httpcomponents_httpclient_4_5_2` refers to a
derivation that when used used in `buildInputs` will be automatically added to
the Java classpath.
2016-07-19 09:48:36 +02:00
Joachim F
2621e9b641 Merge pull request #16976 from phanimahesh/sourceforge-mirrors
mirrors: add downloads.sourceforge.net
2016-07-16 13:12:49 +02:00
J Phani Mahesh
c4fa18b7a2 mirrors: add downloads.sourceforge.net
downloads.sourceforge.net is the official way to download tarballs from
SourceForge.  However, it is reported as unreliable due to SF's weird
load balancing system.

This commit gives the official mirror utmost priority, and will use
other configured mirrors (which may be temporary) as a fallback only
when the official one can't be reached/download fails/hangs.

References: NixOs/nixpkgs#16900
2016-07-15 13:20:35 +05:30
Tuomas Tynkkynen
13160d9c10 buildInLinuxVM: Workaround bug #16742
This is blocking the channel update: #16949
2016-07-14 15:12:50 +03:00
Vladimír Čunát
1b5ac05845 Merge branch 'staging'
Includes security fixes in gd and libarchive.
2016-07-14 15:51:28 +02:00
Vladimír Čunát
ab9515092b symlinkJoin: truly pass the defaulted parameters
The catch is that in nix the @-pattern binds the set that was *explicitly*
passed to the function, i.e. default values are *not* taken into account.
2016-07-14 15:36:53 +02:00
Alexey Shmalko
0172558e82 buildEnv: build the whole tree of directories to pathsToLink
This patch fixes #16614 and #16741.

The first issue was caused by the fact that both `/share` and
`/share/fish/vendor_completions.d` end in the `pathsToLink`. The
`pkgs/build-support/buildenv/builder.pl` creates `/share`, then links
`/share/fish` under `/share` and then tries to create the directory
`/share/fish/vendor_completions.d` and fails because it already exists.

The simplest way to reproduce the issue is to build the next Nix
expression:

```nix
let pkgs = import <nixpkgs> { };
in pkgs.buildEnv {
  name = "buildenv-issue";

  paths = [
    pkgs.fish
    pkgs.vim
  ];

  pathsToLink = [
    "/share"
    "/share/fish/vendor_completions.d"
  ];
}
```

The second issue is more critical and was caused by the fact findFiles
doesn't recurse deep enough. It stops at first unique directory for the
package (e.g., "/share" or even "/") and later the scripts decides it
shouldn't link it as it doesn't match pathsToLink (e.g., "/share/fish"),
so the result is empty.

The test:
```nix
let pkgs = import <nixpkgs> { };
in pkgs.buildEnv {
  name = "buildenv-issue";

  paths = [
    pkgs.fish
    pkgs.vim
  ];

  pathsToLink = [
    "/share/fish/functions"
  ];
}
```

or

```nix
let pkgs = import <nixpkgs> { };
in pkgs.buildEnv {
  name = "buildenv-issue";

  paths = [
    pkgs.vim
  ];

  pathsToLink = [
    "/share"
  ];
}
```
2016-07-13 03:54:11 +03:00
Nikolay Amiantov
d43bde5f2b patchShebangs: quote variable assignment 2016-07-09 03:05:11 +03:00
Cireo
ff3e7d2b4b patchShebangs: strip trailing whitespace
Prior to this commit, trailing whitespace would be introduced when
modifying '#!' lines with no arguments.  For example (whitespace added):

    /nix/store/.../foo: interpreter directive changed
        from "/bin/bash"
          to "/nix/store/...-bash-4.3-p42/bin/bash  "

    /nix/store/.../bar: interpreter directive changed
        from "/bin/baz wef"
          to "/nix/store/...-baz wef "

We add a sed command to strip trailing whitespace, so the above commands
would drop the two spaces after "bash", or the one space after "baz wef".

abbradar: fixed commit title

Closes #16785.
2016-07-09 03:00:27 +03:00
Bjørn Forsman
68205d0ade nix-prefetch-git: unbreak JSON output
This fixes a regression caused by commit f56ab9e
("nix-prefetch-git: Include the date in the machine-readable [...]")
where a couple of directory paths printed by pushd/popd appeared before
the JSON output on stdout (thus breaking it). Fix it by redirecting the
extraneous output to /dev/null.

Reported by Michael Alan Dorman <mdorman@ironicdesign.com>.
2016-07-04 14:39:47 +02:00
David Grayson
f56ab9e5e4 nix-prefetch-git: Include the date in the machine-readable output on
stdout, in strict ISO 8601 format.

This will be helpful for automatically updating fetchgit expressions
and the dates in version numbers associated with them.
2016-07-03 11:19:13 +01:00
Nathan Zadoks
b9284e445b dockerTools: disable compression in tarsum.go
Previously, tarsum would compress the (discarded) tarball produced.
That's a waste of CPU, and a waste of time.
2016-07-02 02:22:36 -04:00
Nathan Zadoks
23e9e33975 dockerTools: format tarsum.go with gofmt
Nearly all Go code on this earth is formatted with gofmt, and it's
somewhat surprising to find a Go file that isn't formatted accordingly.
2016-07-02 02:22:36 -04:00
Vladimír Čunát
3afa246038 Merge branch 'staging'
This includes a security update of expat.
2016-06-29 07:47:04 +02:00
Benno Fünfstück
a368b27270 fhs-user-env: keep DBUS_SESSION_BUS_ADDRESS env
Steam requires this variable or some games run incredibly slow.
See ValveSoftware/Dota-2#921 for more information.
2016-06-28 23:55:43 +02:00
Nikolay Amiantov
5cec134c70 buildFHSUserEnv: don't set CHROOTENV_EXTRA_BINDS 2016-06-28 18:59:33 +03:00
zimbatm
4f5918cd2e Revert "stdenv: introduce baseHash() to replace stripHash()"
Introduced by mistake

This reverts commit e71a5cb878.
2016-06-25 14:25:58 +01:00
zimbatm
e71a5cb878 stdenv: introduce baseHash() to replace stripHash()
stripHash uses a global variable to communicate it's computation
results, but it's not necessary. You can just pipe to stdout in a
subshell. A function mostly behaves like just another command.

baseHash() also introduces a suffix-stripping capability since it's
something the users of the function tend to use.
2016-06-25 14:20:56 +01:00
Vladimír Čunát
6b27ceb006 Merge 'master' into staging and re-revert merge
... from staging to master, reverted temporarily in aa9a04883e.
2016-06-23 12:09:03 +02:00
Vladimír Čunát
aa9a04883e Revert "Merge branch 'staging'" due to glibc
The main output started to retain dependency on bootstrap-tools; see
https://github.com/NixOS/nixpkgs/pull/15867#issuecomment-227949096

This reverts commit c05d829598, reversing
changes made to f073df60d6.
2016-06-23 09:25:10 +02:00
Vladimír Čunát
c05d829598 Merge branch 'staging' 2016-06-22 10:49:56 +02:00
obadz
fb6b4860c7 xl2tpd: add nixos module for service
(required adding execv to libredirect)
2016-06-20 21:41:59 +01:00
Eelco Dolstra
5fc64c4baa debian: 7.10 -> 7.11, 8.4 -> 8.5 2016-06-20 14:39:44 +02:00
zimbatm
b0f8416c5c Merge pull request #16180 from zimbatm/shell-escaping
Escape all shell arguments uniformly
2016-06-19 23:27:52 +01:00
Vladimír Čunát
61b8d27b4c make-wrapper: fixup #14753 changes to make tests work
The tests need to expand passed variable and very carefully.
I could see no other easy way than to change single-quoting in
makeWrapper to double-quoting.
The tests now fail with the same problem as on master...
2016-06-19 13:38:46 +02:00
Vladimír Čunát
e757404555 Merge branch 'master' into staging
Hydra nixpkgs: ?compare=1279790
2016-06-19 12:33:04 +02:00
Moritz Ulrich
e72282be84 Merge pull request #16052 from dvc94ch/rust-cross
Rust and cargo improvements
2016-06-16 09:42:23 +02:00
Benno Fünfstück
9ff91371d0 nix-prefetch-git: fix bash evaluation order dependency 2016-06-15 22:54:35 +02:00
David Craven
54f80775cb rust: Refactoring of rust and cargo packages 2016-06-15 12:47:13 +02:00
Joachim Fasting
886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Rob Vermaas
91436641ec Fix hash for Debian 8.4 Jessie
(cherry picked from commit fd60751ce0)
2016-06-13 12:20:55 +00:00
zimbatm
28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
zimbatm
a42b7faaec nix-prefetch-git: shellcheck fixes
Used shellcheck (https://github.com/koalaman/shellcheck) to validate
the script and fixed any resulting escaping and ambiguity issues.
2016-06-12 13:45:20 +01:00
Nikolay Amiantov
b341de88e9 Merge pull request #16030 from abbradar/fhs-refactor
Improvements for FHS user chrootenv
2016-06-11 21:04:20 +04:00
Tuomas Tynkkynen
a06a405d0b cross GCC: Fix some paths to libc headers (after multiple outputs)
It's not completely clear to me why the path to libc headers is set
differently when cross building...
2016-06-11 04:15:17 +03:00
Domen Kožar
7a5b85cdda pkgs.runCommand: passAsFile (buildCommand can be very long)
Close #15803. This avoids the error:

while setting up the build environment: executing
‘/nix/store/7sb42axk5lrxqz45nldrb2pchlys14s1-bash-4.3-p42/bin/bash’:
Argument list too long

Note: I wanted to make it optional based on buildCommand length,
but that seems pointless as I'm sure it's less performant.

Amended by vcunat:
https://github.com/NixOS/nixpkgs/pull/15803#issuecomment-224841225
2016-06-10 10:49:26 +02:00
Vladimír Čunát
46f22d89b9 Merge #15867: glibc, gcc: fixes for ARM targets
... needed after closure-size merge (#7701)
2016-06-10 09:57:17 +02:00
Vladimír Čunát
cec03a8ecd Merge #14753: makeWrapper: allow spaces in variables 2016-06-09 13:09:43 +02:00
Kamil Chmielewski
7eb671ebcd no more goPackages 2016-06-09 13:08:00 +02:00
Nikolay Amiantov
3d8664ee42 buildFHSUserEnv: mark CHROOTENV_EXTRA_BINDS as discussed for deprecation 2016-06-07 14:22:38 +03:00
Nikolay Amiantov
3e90b00c10 buildFHSEnv: link 'bin' output 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
8d9e5d297d buildFHSEnv: don't link GCC compiler part 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
74107a7867 buildFHSEnv: refactor and simplify, drop buildFHSChrootEnv
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.

This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.

This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
2016-06-07 04:06:35 +03:00
David Craven
c22f0c7474 Fix buildRustPackage edge cases
1. When multiple versions of the same package are required
   $revs is an array.
2. When cargo fetch is run it usually doesn't need a network
   connection. But when it does SSL_CERT_FILE isn't set.
2016-06-02 17:15:52 +02:00
Eric Litak
7399d0949c fixing libcCross related flags
(excluding darwin and mingw for now)
2016-05-31 16:28:04 -07:00