mirror of
https://github.com/NixOS/nix.git
synced 2025-12-06 00:51:00 +01:00
Merge remote-tracking branch 'origin/master' into lazy-trees
This commit is contained in:
Eelco Dolstra
commit
f62018438d
24 changed files with 136 additions and 229 deletions
|
|
@ -121,37 +121,3 @@ error:
|
|||
are not valid, so checking is not possible
|
||||
|
||||
Run the build without `--check`, and then try with `--check` again.
|
||||
|
||||
# Automatic and Optionally Enforced Determinism Verification
|
||||
|
||||
Automatically verify every build at build time by executing the build
|
||||
multiple times.
|
||||
|
||||
Setting `repeat` and `enforce-determinism` in your `nix.conf` permits
|
||||
the automated verification of every build Nix performs.
|
||||
|
||||
The following configuration will run each build three times, and will
|
||||
require the build to be deterministic:
|
||||
|
||||
enforce-determinism = true
|
||||
repeat = 2
|
||||
|
||||
Setting `enforce-determinism` to false as in the following
|
||||
configuration will run the build multiple times, execute the build
|
||||
hook, but will allow the build to succeed even if it does not build
|
||||
reproducibly:
|
||||
|
||||
enforce-determinism = false
|
||||
repeat = 1
|
||||
|
||||
An example output of this configuration:
|
||||
|
||||
```console
|
||||
$ nix-build ./test.nix -A unstable
|
||||
this derivation will be built:
|
||||
/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv
|
||||
building '/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv' (round 1/2)...
|
||||
building '/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv' (round 2/2)...
|
||||
output '/nix/store/6xg356v9gl03hpbbg8gws77n19qanh02-unstable' of '/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv' differs from '/nix/store/6xg356v9gl03hpbbg8gws77n19qanh02-unstable.check' from previous round
|
||||
/nix/store/6xg356v9gl03hpbbg8gws77n19qanh02-unstable
|
||||
```
|
||||
|
|
|
|||
|
|
@ -33,12 +33,17 @@ distribute the public key for verifying the authenticity of the paths.
|
|||
example-nix-cache-1:1/cKDz3QCCOmwcztD2eV6Coggp6rqc9DGjWv7C0G+rM=
|
||||
```
|
||||
|
||||
Then, add the public key and the cache URL to your `nix.conf`'s
|
||||
`trusted-public-keys` and `substituters` options:
|
||||
Then update [`nix.conf`](../command-ref/conf-file.md) on any machine that will access the cache.
|
||||
Add the cache URL to [`substituters`](../command-ref/conf-file.md#conf-substituters) and the public key to [`trusted-public-keys`](../command-ref/conf-file.md#conf-trusted-public-keys):
|
||||
|
||||
substituters = https://cache.nixos.org/ s3://example-nix-cache
|
||||
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= example-nix-cache-1:1/cKDz3QCCOmwcztD2eV6Coggp6rqc9DGjWv7C0G+rM=
|
||||
|
||||
Machines that build for the cache must sign derivations using the private key.
|
||||
On those machines, add the path to the key file to the [`secret-key-files`](../command-ref/conf-file.md#conf-secret-key-files) field in their [`nix.conf`](../command-ref/conf-file.md):
|
||||
|
||||
secret-key-files = /etc/nix/key.private
|
||||
|
||||
We will restart the Nix daemon in a later step.
|
||||
|
||||
# Implementing the build hook
|
||||
|
|
@ -52,14 +57,12 @@ set -eu
|
|||
set -f # disable globbing
|
||||
export IFS=' '
|
||||
|
||||
echo "Signing paths" $OUT_PATHS
|
||||
nix store sign --key-file /etc/nix/key.private $OUT_PATHS
|
||||
echo "Uploading paths" $OUT_PATHS
|
||||
exec nix copy --to 's3://example-nix-cache' $OUT_PATHS
|
||||
exec nix copy --to "s3://example-nix-cache" $OUT_PATHS
|
||||
```
|
||||
|
||||
> **Note**
|
||||
>
|
||||
>
|
||||
> The `$OUT_PATHS` variable is a space-separated list of Nix store
|
||||
> paths. In this case, we expect and want the shell to perform word
|
||||
> splitting to make each output path its own argument to `nix
|
||||
|
|
|
|||
|
|
@ -53,16 +53,18 @@ All options not listed here are passed to `nix-store
|
|||
--realise`, except for `--arg` and `--attr` / `-A` which are passed to
|
||||
`nix-instantiate`.
|
||||
|
||||
- [`--no-out-link`]{#opt-no-out-link}\
|
||||
- <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
|
||||
|
||||
Do not create a symlink to the output path. Note that as a result
|
||||
the output does not become a root of the garbage collector, and so
|
||||
might be deleted by `nix-store
|
||||
--gc`.
|
||||
might be deleted by `nix-store --gc`.
|
||||
|
||||
- <span id="opt-dry-run">[`--dry-run`](#opt-dry-run)</span>
|
||||
|
||||
- [`--dry-run`]{#opt-dry-run}\
|
||||
Show what store paths would be built or downloaded.
|
||||
|
||||
- [`--out-link`]{#opt-out-link} / `-o` *outlink*\
|
||||
- <span id="opt-out-link">[`--out-link`](#opt-out-link)</span> / `-o` *outlink*
|
||||
|
||||
Change the name of the symlink to the output path created from
|
||||
`result` to *outlink*.
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,8 @@ This section lists the options that are common to all operations. These
|
|||
options are allowed for every subcommand, though they may not always
|
||||
have an effect.
|
||||
|
||||
- [`--add-root`]{#opt-add-root} *path*\
|
||||
- <span id="opt-add-root">[`--add-root`](#opt-add-root)</span> *path*
|
||||
|
||||
Causes the result of a realisation (`--realise` and
|
||||
`--force-realise`) to be registered as a root of the garbage
|
||||
collector. *path* will be created as a symlink to the resulting
|
||||
|
|
@ -104,10 +105,6 @@ The following flags are available:
|
|||
previous build, the new output path is left in
|
||||
`/nix/store/name.check.`
|
||||
|
||||
See also the `build-repeat` configuration option, which repeats a
|
||||
derivation a number of times and prevents its outputs from being
|
||||
registered as “valid” in the Nix store unless they are identical.
|
||||
|
||||
Special exit codes:
|
||||
|
||||
- `100`\
|
||||
|
|
|
|||
|
|
@ -88,6 +88,29 @@ extension. The installer will also create `/etc/profile.d/nix.sh`.
|
|||
|
||||
### Linux
|
||||
|
||||
If you are on Linux with systemd:
|
||||
|
||||
1. Remove the Nix daemon service:
|
||||
|
||||
```console
|
||||
sudo systemctl stop nix-daemon.service
|
||||
sudo systemctl disable nix-daemon.socket nix-daemon.service
|
||||
sudo systemctl daemon-reload
|
||||
```
|
||||
|
||||
1. Remove systemd service files:
|
||||
|
||||
```console
|
||||
sudo rm /etc/systemd/system/nix-daemon.service /etc/systemd/system/nix-daemon.socket
|
||||
```
|
||||
|
||||
1. The installer script uses systemd-tmpfiles to create the socket directory.
|
||||
You may also want to remove the configuration for that:
|
||||
|
||||
```console
|
||||
sudo rm /etc/tmpfiles.d/nix-daemon.conf
|
||||
```
|
||||
|
||||
Remove files created by Nix:
|
||||
|
||||
```console
|
||||
|
|
@ -103,16 +126,6 @@ done
|
|||
sudo groupdel 30000
|
||||
```
|
||||
|
||||
If you are on Linux with systemd, remove the Nix daemon service:
|
||||
|
||||
```console
|
||||
sudo systemctl stop nix-daemon.socket
|
||||
sudo systemctl stop nix-daemon.service
|
||||
sudo systemctl disable nix-daemon.socket
|
||||
sudo systemctl disable nix-daemon.service
|
||||
sudo systemctl daemon-reload
|
||||
```
|
||||
|
||||
There may also be references to Nix in
|
||||
|
||||
- `/etc/profile`
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
# Release X.Y (202?-??-??)
|
||||
|
||||
* The `repeat` and `enforce-determinism` options have been removed
|
||||
since they had been broken under many circumstances for a long time.
|
||||
|
||||
* You can now use flake references in the old CLI, e.g.
|
||||
|
||||
```
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue