diff --git a/configure.ac b/configure.ac
index 7decbc7d9..7f2b0a7ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -135,6 +135,7 @@ AC_PATH_PROG(bison, bison, false)
NEED_PROG(perl, perl)
NEED_PROG(tar, tar)
AC_PATH_PROG(dot, dot)
+AC_PATH_PROG(dblatex, dblatex)
AC_PATH_PROG(openssl_prog, openssl, openssl) # if not found, call openssl in $PATH
AC_SUBST(openssl_prog)
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
index ac030ee56..1011ee7aa 100644
--- a/doc/manual/Makefile.am
+++ b/doc/manual/Makefile.am
@@ -47,6 +47,14 @@ manual.html: $(MANUAL_SRCS) manual.is-valid images
$(XSLTPROC) --nonet --xinclude --output manual.html \
$(docbookxsl)/html/docbook.xsl manual.xml
+manual.pdf: $(MANUAL_SRCS) manual.is-valid images
+ if test "$(dblatex)" != ""; then \
+ $(dblatex) manual.xml; \
+ else \
+ echo "Please install dblatex and rerun configure."; \
+ exit 1; \
+ fi
+
NEWS_OPTS = \
--stringparam generate.toc "article nop" \
diff --git a/doc/manual/builtins.xml b/doc/manual/builtins.xml
index 1ce40a607..b6c886199 100644
--- a/doc/manual/builtins.xml
+++ b/doc/manual/builtins.xml
@@ -17,7 +17,7 @@ functions and values. For instance, derivation
is also available as builtins.derivation.
-
+aborts
diff --git a/doc/manual/env-common.xml b/doc/manual/env-common.xml
index 89ee78c76..fdfbaf59a 100644
--- a/doc/manual/env-common.xml
+++ b/doc/manual/env-common.xml
@@ -263,6 +263,17 @@ $ mount -o bind /mnt/otherdisk/nix /nix
+NIX_REMOTE
+
+ This variable should be set to
+ daemon if you want to use the Nix daemon to
+ executed Nix operations, which is necessary in multi-user Nix installations.
+ Otherwise, it should be left unset.
+
+
+
+
diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml
index 3a143e44f..72e4b541a 100644
--- a/doc/manual/installation.xml
+++ b/doc/manual/installation.xml
@@ -100,14 +100,16 @@ ubiquitous 2.5.4a won't. Note that these are only required if you
modify the parser or when you are building from the Subversion
repository.
-Nix uses Sleepycat's Berkeley DB and CWI's ATerm library. These
-are included in the Nix source distribution. If you build from the
-Subversion repository, you must download them yourself and place them
-in the externals/ directory. See
+Nix uses Sleepycat's Berkeley DB, CWI's ATerm library and the
+bzip2 compressor (including the bzip2 library). These are included in
+the Nix source distribution. If you build from the Subversion
+repository, you must download them yourself and place them in the
+externals/ directory. See
externals/Makefile.am for the precise URLs of
these packages. Alternatively, if you already have them installed,
-you can use configure's
-and options to point to their respective
+you can use configure's
+, and
+ options to point to their respective
locations. Note that Berkeley DB must be version
4.5; other versions may not have compatible database formats.
@@ -118,19 +120,21 @@ locations. Note that Berkeley DB must be version
After unpacking or checking out the Nix sources, issue the
following commands:
-
$ ./configure options...
$ make
$ make install
+
+
When building from the Subversion repository, these should be
preceded by the command:
-
-$ ./boostrap
+$ ./bootstrap
+
+
The installation path can be specified by passing the
to
@@ -165,20 +169,24 @@ Hat Linux. They have been known to work work on SuSE Linux 8.1 and
distribution based on glibc 2.3 or later.Once downloaded, the RPMs can be installed or upgraded using
-rpm -U. For example,
+rpm -U. For example,
$ rpm -U nix-0.5pre664-1.i386.rpm
+
+
The RPMs install into the directory /nix.
Nix can be uninstalled using rpm -e nix. After
this it will be necessary to manually remove the Nix store and other
-auxiliary data:
+auxiliary data:
$ rm -rf /nix/store
$ rm -rf /nix/var
+
+
@@ -187,7 +195,7 @@ $ rm -rf /nix/var
You can install the latest stable version of Nix through Nix
itself by subscribing to the channel ,
-or the latest unstable version by subscribing to the channel.
You can also do a one-click
installation by clicking on the package links at root all the time.
-Multi-user mode
+Multi-user mode
-
+To allow a Nix store to be shared safely among multiple users,
+it is important that users are not able to run builders that modify
+the Nix store or database in arbitrary ways, or that interfere with
+builds started by other users. If they could do so, they could
+install a Trojan horse in some package and compromise the accounts of
+other users.
-
-
+To prevent this, the Nix store and database are owned by some
+privileged user (usually root) and builders are
+executed under special user accounts (usually named
+nixbld1, nixbld2, etc.). When a
+unprivileged user runs a Nix command, actions that operate on the Nix
+store (such as builds) are forwarded to a Nix
+daemon running under the owner of the Nix store/database
+that performs the operation.Multi-user mode has one important limitation: only
root can run nix-pull to register the availability
-of pre-built binaries. However, those registrations
-are used by all users to speed up
-builds.
+of pre-built binaries. However, those registrations are shared by all
+users, so they still get the benefit from nix-pulls
+done by root.
+
+
+Setting up the build users
+
+The build users are the special UIDs under
+which builds are performed. They should all be members of the
+build users group (usually called
+nixbld). This group should have no other members.
+The build users should not be members of any other group.
+
+Here is a typical /etc/group definition of
+the build users group with 10 build users:
+
+
+nixbld:!:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10
+
+
+In this example the nixbld group has UID 30000, but
+of course it can be anything that doesn’t collide with an existing
+group.
+
+Here is the corresponding part of
+/etc/passwd:
+
+
+nixbld1:x:30001:65534:Nix build user 1:/var/empty:/noshell
+nixbld2:x:30002:65534:Nix build user 2:/var/empty:/noshell
+nixbld3:x:30003:65534:Nix build user 3:/var/empty:/noshell
+...
+nixbld10:x:30010:65534:Nix build user 10:/var/empty:/noshell
+
+
+The home directory of the build users should not exist or should be an
+empty directory to which they do not have write access.
+
+The build users should have write access to the Nix store, but
+they should not have the right to delete files. Thus the Nix store’s
+group should be the build users group, and it should have the sticky
+bit turned on (like /tmp):
+
+
+$ chgrp nixbld /nix/store
+$ chmod 1777 /nix/store
+
+
+
+
+Finally, you should tell Nix to use the build users by
+specifying the build users group in the build-users-group
+option in the Nix configuration
+file (/nix/etc/nix/nix.conf):
+
+
+build-users-group = nixbld
+
+
+
-
+Nix store/database owned by root
+
+The simplest setup is to let root own the Nix
+store and database. I.e.,
+
+
+$ chown -R root /nix/store /nix/var/nix
+
+
+
+The Nix daemon should be started as follows (as
+root):
+
+
+$ nix-worker --daemon
+
+You’ll want to put that line somewhere in your system’s boot
+scripts.
+
+To let unprivileged users use the daemon, they should set the
+NIX_REMOTE environment
+variable to daemon. So you should put a
+line like
+
+
+export NIX_REMOTE=daemon
+
+into the users’ login scripts.
+
+
+
+
+Nix store/database not owned by root
+
+It is also possible to let the Nix store and database be owned
+by a non-root user, which should be more secureNote
+however that even when the Nix daemon runs as root, not
+that much code is executed as root: Nix
+expression evaluation is performed by the calling (unprivileged) user,
+and builds are performed under the special build user accounts. So
+only the code that accesses the database and starts builds is executed
+as root.. Typically, this user
+is a special account called nix, but it can be
+named anything. It should own the Nix store and database:
+
+
+$ chown -R root /nix/store /nix/var/nix
+
+and of course nix-worker --daemon should be started
+under that user, e.g.,
+
+
+$ su - nix -c "exec /nix/bin/nix-worker --daemon"
+
+
+
+There is a catch, though: non-root users
+cannot start builds under the build user accounts, since the
+setuid system call is obviously privileged. To
+allow a non-root Nix daemon to use the build user
+feature, it calls a setuid-root helper program,
+nix-setuid-helper. This program is installed in
+prefix/libexec/nix-setuid-helper.
+To set the permissions properly (Nix’s make install
+doesn’t do this, since we don’t want to ship setuid-root programs
+out-of-the-box):
+
+
+$ chown root.root /nix/libexec/nix-setuid-helper
+$ chmod 4755 /nix/libexec/nix-setuid-helper
+
+
+(This example assumes that the Nix binaries are installed in
+/nix.)
+
+Of course, the nix-setuid-helper command
+should not be usable by just anybody, since then anybody could run
+commands under the Nix build user accounts. For that reason there is
+a configuration file /etc/nix-setuid.conf that
+restricts the use of the helper. This file should be a text file
+containing precisely two lines, the first being the Nix daemon user
+and the second being the build users group, e.g.,
+
+
+nix
+nixbld
+
+
+The setuid-helper barfs if it is called by a user other than the one
+specified on the first line, or if it is asked to execute a build
+under a user who is not a member of the group specified on the second
+line. The file /etc/nix-setuid.conf must be
+owned by root, and must not be group- or world-writable. The
+setuid-helper barfs if this is not the case.
+
+
+
+
+Restricting access
+
+To limit which users can perform Nix operations, you can use the
+permissions on the directory
+/nix/var/nix/daemon-socket. For instance, if you
+want to restrict the use of Nix to the members of a group called
+nix-users, do
+
+
+$ chgrp nix-users /nix/var/nix/daemon-socket
+$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
+
+
+This way, users who are not in the nix-users group
+cannot connect to the Unix domain socket
+/nix/var/nix/daemon-socket/socket, so they cannot
+perform Nix operations.
+
+
+
+
+
+
+
+
Using Nix
diff --git a/doc/manual/nix-env.xml b/doc/manual/nix-env.xml
index 9b9127921..9af8c0c02 100644
--- a/doc/manual/nix-env.xml
+++ b/doc/manual/nix-env.xml
@@ -19,13 +19,6 @@
nix-envnamevalue
-
-
-
-
-
- attrPath
-
@@ -45,9 +38,6 @@
system
-
-
- pathoperationoptionsarguments
@@ -190,6 +180,7 @@ linkend="sec-common-options" />.
+
@@ -397,6 +388,7 @@ the following paths will be substituted:
+
@@ -592,25 +584,21 @@ $ nix-env -e '*' (remove everything)
-
+
+
-
-
-
-
-
-
+
@@ -622,6 +610,27 @@ $ nix-env -e '*' (remove everything)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ attribute-path
+
+
+
+
names
diff --git a/doc/manual/opt-inst-syn.xml b/doc/manual/opt-inst-syn.xml
new file mode 100644
index 000000000..1c32325e5
--- /dev/null
+++ b/doc/manual/opt-inst-syn.xml
@@ -0,0 +1,15 @@
+
+
+
+
+
+
+
+
+
+
+
+
+ path
+
+
diff --git a/doc/manual/release-notes.xml b/doc/manual/release-notes.xml
index 46c540b87..727a3e4a6 100644
--- a/doc/manual/release-notes.xml
+++ b/doc/manual/release-notes.xml
@@ -38,9 +38,13 @@
paths.
- TODO: allowedReferences for
- checking the set of references in the output of a
- derivation.
+ Derivations can specify the new special attribute
+ allowedReferences to enforce that the references
+ in the output of a derivation are a subset of a declared set of
+ paths. For example, if allowedReferences is an
+ empty list, then the output must not have any references. This is
+ used in NixOS to check that generated files such as initial ramdisks
+ for booting Linux don’t have any dependencies.TODO: semantic cleanups of string concatenation
@@ -54,8 +58,11 @@
nix-store --register-validity.
- TODO: magic exportReferencesGraph
- attribute.
+ The new attribute
+ exportReferencesGraph allows builders access to
+ the references graph of their inputs. This is used in NixOS for
+ tasks such as generating ISO-9660 images that contain a Nix store
+ populated with the closure of certain paths.TODO: option ,
@@ -109,8 +116,10 @@
disambiguation (nix-env -qaA).
- TODO: substitutes table is gone, registering
- substitutes is now much faster.
+ The substitutes table has been removed from the
+ database. This makes operations such as nix-pull
+ and nix-channel --update
+ much faster.nix-prefetch-url now has a
diff --git a/doc/manual/writing-nix-expressions.xml b/doc/manual/writing-nix-expressions.xml
index c4bc35cc7..5fa9e423d 100644
--- a/doc/manual/writing-nix-expressions.xml
+++ b/doc/manual/writing-nix-expressions.xml
@@ -607,7 +607,7 @@ language.Simple values
-Nix has the following basic datatypes:
+Nix has the following basic data types:
@@ -679,7 +679,7 @@ configureFlags = "
instance, builder.sh is not a
pathIt's parsed as an expression that selects the
attribute sh from the variable
- builder.. If the filename is
+ builder.. If the file name is
relative, i.e., if it does not begin with a slash, it is made
absolute at parse time relative to the directory of the Nix
expression that contained it. For instance, if a Nix expression in
@@ -701,7 +701,7 @@ configureFlags = "
ListsLists are formed by enclosing a whitespace-separated list of
-values between square bracktes. For example,
+values between square brackets. For example,
[ 123 ./foo.nix "abc" (f {x=y;}) ]
@@ -927,7 +927,7 @@ evaluates to ["foobar" "foobla" "fooabc"].
if e1 then e2 else e3
where e1 is an expression that should
-evaluate to a boolean value (true or
+evaluate to a Boolean value (true or
false).
@@ -942,7 +942,7 @@ on or between features and dependencies hold. They look like this:
assert e1; e2
where e1 is an expression that should
-evaluate to a boolean value. If it evaluates to
+evaluate to a Boolean value. If it evaluates to
true, e2 is returned;
otherwise expression evaluation is aborted and a backtrace is printed.
@@ -1234,7 +1234,7 @@ set, the attributes of which specify the inputs of the build.
- The optional argument args
+ The optional attribute args
specifies command-line arguments to be passed to the builder. It
should be a list.
@@ -1337,6 +1337,233 @@ command-line argument. See
+
+Advanced attributes
+
+Derivations can declare some infrequently used optional
+attributes.
+
+
+
+ allowedReferences
+
+ The optional attribute
+ allowedReferences specifies a list of legal
+ references (dependencies) of the output of the builder. For
+ example,
+
+
+allowedReferences = [];
+
+
+ enforces that the output of a derivation cannot have any runtime
+ dependencies on its inputs. This is used in NixOS to check that
+ generated files such as initial ramdisks for booting Linux don’t
+ have accidental dependencies on other paths in the Nix
+ store.
+
+
+
+
+ exportReferencesGraph
+
+ This attribute allows builders access to the
+ references graph of their inputs. The attribute is a list of
+ inputs in the Nix store whose references graph the builder needs
+ to know. The value of this attribute should be a list of pairs
+ [name1
+ path1name2
+ path2
+ ...]. The references graph
+ of each pathN will be stored in a text
+ file nameN in the temporary build
+ directory. The text files have the format used by
+ nix-store --register-validity (with the deriver
+ fields left empty). For example, when the following derivation is
+ built:
+
+
+derivation {
+ ...
+ exportReferencesGraph = ["libfoo-graph" libfoo];
+};
+
+
+ the references graph of libfoo is placed in the
+ file libfoo-graph in the temporary build
+ directory.
+
+ exportReferencesGraph is useful for
+ builders that want to do something with the closure of a store
+ path. Examples include the builders in NixOS that generate the
+ initial ramdisk for booting Linux (a cpio
+ archive containing the closure of the boot script) and the
+ ISO-9660 image for the installation CD (which is populated with a
+ Nix store containing the closure of a bootable NixOS
+ configuration).
+
+
+
+
+
+ outputHash
+ outputHashAlgo
+ outputHashMode
+
+ These attributes declare that the derivation is a
+ so-called fixed-output derivation, which
+ means that a cryptographic hash of the output is already known in
+ advance. When the build of a fixed-output derivation finishes,
+ Nix computes the cryptographic hash of the output and compares it
+ to the hash declared with these attributes. If there is a
+ mismatch, the build fails.
+
+ The rationale for fixed-output derivations is derivations
+ such as those produced by the fetchurl
+ function. This function downloads a file from a given URL. To
+ ensure that the downloaded file has not been modified, the caller
+ must also specify a cryptographic hash of the file. For example,
+
+
+fetchurl {
+ url = http://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz;
+ md5 = "70c9ccf9fac07f762c24f2df2290784d";
+}
+
+
+ It sometimes happens that the URL of the file changes, e.g.,
+ because servers are reorganised or no longer available. We then
+ must update the call to fetchurl, e.g.,
+
+
+fetchurl {
+ url = ftp://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz;
+ md5 = "70c9ccf9fac07f762c24f2df2290784d";
+}
+
+
+ If a fetchurl derivation was treated like a
+ normal derivation, the output paths of the derivation and
+ all derivations depending on it would change.
+ For instance, if we were to change the URL of the Glibc source
+ distribution in Nixpkgs (a package on which almost all other
+ packages depend) massive rebuilds would be needed. This is
+ unfortunate for a change which we know cannot have a real effect
+ as it propagates upwards through the dependency graph.
+
+ For fixed-output derivations, on the other hand, the name of
+ the output path only depends on the outputHash*
+ and name attributes, while all other attributes
+ are ignored for the purpose of computing the output path. (The
+ name attribute is included because it is part
+ of the path.)
+
+ As an example, here is the (simplified) Nix expression for
+ fetchurl:
+
+
+{stdenv, curl}: # The curl program is used for downloading.
+
+{url, md5}:
+
+stdenv.mkDerivation {
+ name = baseNameOf (toString url);
+ builder = ./builder.sh;
+ buildInputs = [curl];
+
+ # This is a fixed-output derivation; the output must be a regular
+ # file with MD5 hash md5.
+ outputHashMode = "flat";
+ outputHashAlgo = "md5";
+ outputHash = md5;
+
+ inherit url;
+}
+
+
+
+
+ The outputHashAlgo attribute specifies
+ the hash algorithm used to compute the hash. It can currently be
+ "md5", "sha1" or
+ "sha256".
+
+ The outputHashMode attribute determines
+ how the hash is computed. It must be one of the following two
+ values:
+
+
+
+ "flat"
+
+ The output must be a non-executable regular
+ file. If it isn’t, the build fails. The hash is simply
+ computed over the contents of that file (so it’s equal to what
+ Unix commands like md5sum or
+ sha1sum produce).
+
+ This is the default.
+
+
+
+ "recursive"
+
+ The hash is computed over the NAR archive dump
+ of the output (i.e., the result of nix-store
+ --dump). In this case, the output can be
+ anything, including a directory tree.
+
+
+
+
+
+
+
+ The outputHash attribute, finally, must
+ be a string containing the hash in either hexadecimal or base-32
+ notation. (See the nix-hash command
+ for information about converting to and from base-32
+ notation.)
+
+
+
+
+ impureEnvVars
+
+ This attribute allows you to specify a list of
+ environment variables that should be passed from the environment
+ of the calling user to the builder. Usually, the environment is
+ cleared completely when the builder is executed, but with this
+ attribute you can allow specific environment variables to be
+ passed unmodified. For example, fetchurl in
+ Nixpkgs has the line
+
+
+impureEnvVars = ["http_proxy" "https_proxy" ...];
+
+
+ to make it use the proxy server configuration specified by the
+ user in the environment variables http_proxy and
+ friends.
+
+ This attribute is only allowed in fixed-output derivations, where
+ impurities such as these are okay since (the hash of) the output
+ is known in advance. It is ignored for all other
+ derivations.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/mergeTrunkBackIn.sh b/mergeTrunkBackIn.sh
index 388653b80..0fb0b1b78 100755
--- a/mergeTrunkBackIn.sh
+++ b/mergeTrunkBackIn.sh
@@ -1,4 +1,4 @@
-svn merge -r 9549:9561 https://svn.cs.uu.nl:12443/repos/trace/nix/trunk
+svn merge -r 9561:9584 https://svn.cs.uu.nl:12443/repos/trace/nix/trunk
#already done:
# 8628
@@ -26,3 +26,5 @@ svn merge -r 9549:9561 https://svn.cs.uu.nl:12443/repos/trace/nix/trunk
# 9536
# 9549
# 9561
+# 9584
+
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 91680abcf..c082d3979 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -937,6 +937,7 @@ static Expr prim_listToAttrs(EvalState & state, const ATermVector & args)
}
}
+
static Expr prim_removeAttrs(EvalState & state, const ATermVector & args)
{
ATermMap attrs;
@@ -951,6 +952,7 @@ static Expr prim_removeAttrs(EvalState & state, const ATermVector & args)
return makeAttrs(attrs);
}
+
/* Determine whether the argument is a list. */
static Expr prim_isAttrs(EvalState & state, const ATermVector & args)
{
@@ -958,6 +960,7 @@ static Expr prim_isAttrs(EvalState & state, const ATermVector & args)
return makeBool(matchAttrs(evalExpr(state, args[0]), list));
}
+
/*************************************************************
* Lists
*************************************************************/