mirror of
https://github.com/nix-community/disko.git
synced 2024-09-17 09:37:17 +03:00
fix building images when non-binary reproducible builds are present
closure-info has one flaw, it's possible that this file contains stale information when build are not reproducible and the local checksum doesn't match what the remote build created. The work-around here is that we disregard the hashes and re-compute with what nar's we actually have locally instead.
This commit is contained in:
parent
e5b3299a14
commit
4f8c8580b4
45
lib/closure-info.nix
Normal file
45
lib/closure-info.nix
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
# This is a modified version of the closure-info derivation from nixpkgs.
|
||||||
|
# Unlike the original, it does not include hashes in the registration file,
|
||||||
|
# which might be incorrect if a build is not binary reproducible.
|
||||||
|
|
||||||
|
# This derivation builds two files containing information about the
|
||||||
|
# closure of 'rootPaths': $out/store-paths contains the paths in the
|
||||||
|
# closure, and $out/registration contains a file suitable for use with
|
||||||
|
# "nix-store --register-validity".
|
||||||
|
|
||||||
|
{ stdenv, coreutils, jq }:
|
||||||
|
|
||||||
|
{ rootPaths }:
|
||||||
|
|
||||||
|
assert builtins.langVersion >= 5;
|
||||||
|
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "closure-info";
|
||||||
|
|
||||||
|
__structuredAttrs = true;
|
||||||
|
|
||||||
|
exportReferencesGraph.closure = rootPaths;
|
||||||
|
|
||||||
|
preferLocalBuild = true;
|
||||||
|
|
||||||
|
nativeBuildInputs = [ coreutils jq ];
|
||||||
|
|
||||||
|
empty = rootPaths == [];
|
||||||
|
|
||||||
|
buildCommand =
|
||||||
|
''
|
||||||
|
out=''${outputs[out]}
|
||||||
|
|
||||||
|
mkdir $out
|
||||||
|
|
||||||
|
if [[ -n "$empty" ]]; then
|
||||||
|
echo 0 > $out/total-nar-size
|
||||||
|
touch $out/registration $out/store-paths
|
||||||
|
else
|
||||||
|
jq -r ".closure | map(.narSize) | add" < "$NIX_ATTRS_JSON_FILE" > $out/total-nar-size
|
||||||
|
jq -r '.closure | map([.path, "", (.references | length)] + .references) | add | map("\(.)\n") | add' < "$NIX_ATTRS_JSON_FILE" | head -n -1 > $out/registration
|
||||||
|
jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" > $out/store-paths
|
||||||
|
fi
|
||||||
|
|
||||||
|
'';
|
||||||
|
}
|
@ -38,6 +38,8 @@ let
|
|||||||
${lib.concatMapStringsSep "\n" (disk: "mv ${disk.name}.raw \"$out\"/${disk.name}.raw") (lib.attrValues nixosConfig.config.disko.devices.disk)}
|
${lib.concatMapStringsSep "\n" (disk: "mv ${disk.name}.raw \"$out\"/${disk.name}.raw") (lib.attrValues nixosConfig.config.disko.devices.disk)}
|
||||||
${extraPostVM}
|
${extraPostVM}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
closureInfo = pkgs.callPackage ./closure-info.nix { };
|
||||||
partitioner = ''
|
partitioner = ''
|
||||||
# running udev, stolen from stage-1.sh
|
# running udev, stolen from stage-1.sh
|
||||||
echo "running udev..."
|
echo "running udev..."
|
||||||
@ -55,7 +57,7 @@ let
|
|||||||
|
|
||||||
# populate nix db, so nixos-install doesn't complain
|
# populate nix db, so nixos-install doesn't complain
|
||||||
export NIX_STATE_DIR=$TMPDIR/state
|
export NIX_STATE_DIR=$TMPDIR/state
|
||||||
nix-store --load-db < ${pkgs.closureInfo {
|
${pkgs.fakeroot}/bin/fakeroot nix-store --register-validity --reregister < ${closureInfo {
|
||||||
rootPaths = [ systemToInstall.config.system.build.toplevel ];
|
rootPaths = [ systemToInstall.config.system.build.toplevel ];
|
||||||
}}/registration
|
}}/registration
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user