| blob | 06bc7601b9672e182717750163951e565d3621ad |
13 #include <map>
14 #include <sstream>
15 #include <algorithm>
17 #include <limits.h>
18 #include <time.h>
19 #include <sys/time.h>
20 #include <sys/wait.h>
21 #include <sys/types.h>
22 #include <sys/stat.h>
23 #include <sys/utsname.h>
24 #include <fcntl.h>
25 #include <unistd.h>
26 #include <errno.h>
27 #include <stdio.h>
28 #include <cstring>
29 #include <stdint.h>
31 #include <pwd.h>
32 #include <grp.h>
34 #include <zlib.h>
36 #if HAVE_BZLIB_H
37 # include <bzlib.h>
38 #endif
40 /* Includes required for chroot support. */
41 #if HAVE_SYS_PARAM_H
42 #include <sys/param.h>
43 #endif
44 #if HAVE_SYS_MOUNT_H
45 #include <sys/mount.h>
46 #endif
47 #if HAVE_SYS_SYSCALL_H
48 #include <sys/syscall.h>
49 #endif
50 #if HAVE_SCHED_H
51 #include <sched.h>
52 #endif
54 /* In GNU libc 2.11, <sys/mount.h> does not define `MS_PRIVATE', but
55 <linux/fs.h> does. */
56 #if !defined MS_PRIVATE && defined HAVE_LINUX_FS_H
57 #include <linux/fs.h>
58 #endif
60 #define CHROOT_ENABLED HAVE_CHROOT && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) && defined(CLONE_NEWNS) && defined(SYS_pivot_root)
62 #if CHROOT_ENABLED
63 #include <sys/socket.h>
64 #include <sys/ioctl.h>
65 #include <net/if.h>
66 #include <netinet/ip.h>
67 #endif
69 #if __linux__
70 #include <sys/personality.h>
71 #endif
73 #if HAVE_STATVFS
74 #include <sys/statvfs.h>
75 #endif
86 /* Forward definition. */
91 /* A pointer to a goal. */
99 };
101 /* Set of goals. */
105 /* A map of paths to goals (and the other way around). */
111 {
117 /* Backlink to the worker. */
120 /* Goals that this goal is waiting for. */
121 Goals waitees;
123 /* Goals waiting for this one to finish. Must use weak pointers
124 here to prevent cycles. */
125 WeakGoals waiters;
127 /* Number of goals we are/were waiting for that have failed. */
130 /* Number of substitution goals we are/were waiting for that
131 failed because there are no substituters. */
134 /* Number of substitution goals we are/were waiting for that
135 failed because othey had unsubstitutable references. */
138 /* Name of this goal for debugging purposes. */
139 string name;
141 /* Whether the goal is finished. */
142 ExitCode exitCode;
145 {
148 }
151 {
153 }
163 {
165 }
168 {
170 }
175 {
177 }
180 {
182 }
184 /* Callback in case of a timeout. It should wake up its waiters,
185 get rid of any running child processes that are being monitored
186 by the worker (important!), etc. */
193 };
200 }
203 /* A mapping used to remember for each child process to what goal it
204 belongs, and file descriptors for receiving log data and output
205 path creation commands. */
206 struct Child
207 {
208 WeakGoalPtr goal;
214 };
219 /* The worker class. */
220 class Worker
221 {
224 /* Note: the worker should only have strong pointers to the
225 top-level goals. */
227 /* The top-level goals of the worker. */
228 Goals topGoals;
230 /* Goals that are ready to do some work. */
231 WeakGoals awake;
233 /* Goals waiting for a build slot. */
234 WeakGoals wantingToBuild;
236 /* Child processes currently running. */
237 Children children;
239 /* Number of build slots occupied. This includes local builds and
240 substitutions but not remote builds via the build hook. */
243 /* Maps used to prevent multiple instantiations of a goal for the
244 same derivation / path. */
245 WeakGoalMap derivationGoals;
246 WeakGoalMap substitutionGoals;
248 /* Goals waiting for busy paths to be unlocked. */
249 WeakGoals waitingForAnyGoal;
251 /* Goals sleeping for a few seconds (polling a lock). */
252 WeakGoals waitingForAWhile;
254 /* Last time the goals in `waitingForAWhile' where woken up. */
259 /* Set if at least one derivation had a BuildError (i.e. permanent
260 failure). */
263 /* Set if at least one derivation had a timeout. */
273 /* Make a goal (with caching). */
274 GoalPtr makeDerivationGoal(const Path & drvPath, const StringSet & wantedOutputs, BuildMode buildMode = bmNormal);
277 /* Remove a dead goal. */
280 /* Wake up a goal (i.e., there is something for it to do). */
283 /* Return the number of local build and substitution processes
284 currently running (but not remote builds via the build
285 hook). */
288 /* Registers a running child process. `inBuildSlot' means that
289 the process counts towards the jobs limit. */
293 /* Unregisters a running child process. `wakeSleepers' should be
294 false if there is no sense in waking up goals that are sleeping
295 because they can't run yet (e.g., there is no free build slot,
296 or the hook would still say `postpone'). */
299 /* Put `goal' to sleep until a build slot becomes available (which
300 might be right away). */
303 /* Wait for any goal to finish. Pretty indiscriminate way to
304 wait for some resource that some other goal is holding. */
307 /* Wait for a few seconds and then retry this goal. Used when
308 waiting for a lock held by another process. This kind of
309 polling is inefficient, but POSIX doesn't really provide a way
310 to wait for multiple locks in the main select() loop. */
313 /* Loop until the specified top-level goals have finished. */
316 /* Wait for input to become available. */
320 };
323 //////////////////////////////////////////////////////////////////////
327 {
328 // FIXME: necessary?
329 // FIXME: O(n)
333 }
337 {
340 }
344 {
351 if (result == ecFailed || result == ecNoSubstituters || result == ecIncompleteClosure) ++nrFailed;
359 /* If we failed and keepGoing is not set, we remove all
360 remaining waitees. */
363 WeakGoals waiters2;
367 }
371 }
372 }
376 {
379 assert(result == ecSuccess || result == ecFailed || result == ecNoSubstituters || result == ecIncompleteClosure);
384 }
387 }
391 {
393 }
397 //////////////////////////////////////////////////////////////////////
400 /* Common initialisation performed in child processes. */
402 {
403 /* Put the child in a separate session (and thus a separate
404 process group) so that it has no controlling terminal (meaning
405 that e.g. ssh cannot open /dev/tty) and it doesn't receive
406 terminal signals. */
410 /* Dup the write side of the logger pipe into stderr. */
414 /* Dup stderr to stdout. */
418 /* Reroute stdin to /dev/null. */
425 }
427 /* Restore default handling of SIGPIPE, otherwise some programs will
428 randomly say "Broken pipe". */
430 {
436 }
439 //////////////////////////////////////////////////////////////////////
442 class UserLock
443 {
445 /* POSIX locks suck. If we have a lock on a file, and we open and
446 close that file again (without closing the original file
447 descriptor), we lose the lock. So we have to be *very* careful
448 not to open a lock file on which we are holding a lock. */
451 Path fnUserLock;
452 AutoCloseFD fdUserLock;
454 string user;
455 uid_t uid;
456 gid_t gid;
475 };
482 {
484 }
488 {
490 }
494 {
499 /* Get the members of the build-users-group. */
506 /* Copy the result of getgrnam. */
507 Strings users;
511 }
517 /* Find a user account that isn't currently in use for another
518 build. */
532 /* We already have a lock on this one. */
546 /* Sanity check... */
551 /* Get the list of supplementary groups of this build user. This
552 is usually either empty or contains a group such as "kvm". */
563 }
564 }
569 }
573 {
580 }
584 {
587 }
590 //////////////////////////////////////////////////////////////////////
593 struct HookInstance
594 {
595 /* Pipes for talking to the build hook. */
596 Pipe toHook;
598 /* Pipe for the hook's standard output/error. */
599 Pipe fromHook;
601 /* Pipe for the builder's standard output/error. */
602 Pipe builderOut;
604 /* The process ID of the hook. */
605 Pid pid;
610 };
614 {
621 /* Create a pipe to get the output of the child. */
624 /* Create the communication pipes. */
627 /* Create a pipe to get the output of the builder. */
630 /* Fork the hook. */
637 /* Dup the communication pipes. */
641 /* Use fd 4 for the builder's stdout/stderr. */
649 NULL);
652 });
657 }
661 {
667 }
668 }
671 //////////////////////////////////////////////////////////////////////
678 {
685 }
686 }
688 }
691 //////////////////////////////////////////////////////////////////////
699 {
701 /* The path of the derivation. */
702 Path drvPath;
704 /* The specific outputs that we need to build. Empty means all of
705 them. */
706 StringSet wantedOutputs;
708 /* Whether additional wanted outputs have been added. */
711 /* Whether to retry substituting the outputs after building the
712 inputs. */
715 /* The derivation stored at drvPath. */
716 Derivation drv;
718 /* The remainder is state held during the build. */
720 /* Locks on the output paths. */
721 PathLocks outputLocks;
723 /* All input paths (that is, the union of FS closures of the
724 immediate input paths). */
725 PathSet inputPaths;
727 /* Referenceable paths (i.e., input and output paths). */
728 PathSet allPaths;
730 /* Outputs that are already valid. If we're repairing, these are
731 the outputs that are valid *and* not corrupt. */
732 PathSet validPaths;
734 /* Outputs that are corrupt or not valid. */
735 PathSet missingPaths;
737 /* User selected for running the builder. */
738 UserLock buildUser;
740 /* The process ID of the builder. */
741 Pid pid;
743 /* The temporary directory. */
744 Path tmpDir;
746 /* The path of the temporary directory in the sandbox. */
747 Path tmpDirInSandbox;
749 /* File descriptor for the log file. */
751 gzFile gzLogFile;
752 #if HAVE_BZLIB_H
754 #endif
755 AutoCloseFD fdLogFile;
757 /* Number of bytes received from the builder's stdout/stderr. */
760 /* Pipe for the builder's standard output/error. */
761 Pipe builderOut;
763 /* The build hook. */
766 /* Whether we're currently doing a chroot build. */
769 Path chrootRootDir;
771 /* RAII object to delete the chroot directory. */
774 /* All inputs that are regular files. */
775 PathSet regularInputPaths;
777 /* Whether this is a fixed-output derivation. */
781 GoalState state;
783 /* Stuff we need to pass to runChild(). */
785 DirsInChroot dirsInChroot;
787 Environment env;
789 /* Hash rewriting. */
792 RedirectedOutputs redirectedOutputs;
794 BuildMode buildMode;
796 /* If we're repairing without a chroot, there may be outputs that
797 are valid but corrupt. So we redirect these outputs to
798 temporary paths. */
799 PathSet redirectedBadOutputs;
801 /* The current round, if we're building multiple times. */
806 /* Path registration info from the previous round, if we're
807 building multiple times. Since this contains the hash, it
808 allows us to compare whether two rounds produced the same
809 result. */
810 ValidPathInfos prevInfos;
812 BuildResult result;
815 DerivationGoal(const Path & drvPath, const StringSet & wantedOutputs, Worker & worker, BuildMode buildMode = bmNormal);
821 {
822 /* Ensure that derivations get built in order of their name,
823 i.e. a derivation named "aardvark" always comes before
824 "baboon". And substitution goals always happen before
825 derivation goals (due to "b$"). */
827 }
832 {
834 }
836 /* Add wanted outputs to an already existing derivation goal. */
842 /* The states. */
851 /* Is the build hook willing to perform the build? */
854 /* Start building a derivation. */
857 /* Run the builder's process. */
862 /* Check that the derivation outputs all exist and register them
863 as valid. */
866 /* Open a log file and a pipe to it. */
869 /* Close the log file. */
872 /* Delete the temporary directory, if we have one. */
875 /* Callback used by the worker to write to the log. */
879 /* Return the set of (in)valid paths. */
882 /* Abort the goal if `path' failed to build. */
885 /* Forcibly kill the child process, if any. */
893 };
896 DerivationGoal::DerivationGoal(const Path & drvPath, const StringSet & wantedOutputs, Worker & worker, BuildMode buildMode)
903 #if HAVE_BZLIB_H
905 #endif
908 {
914 /* Prevent the .chroot directory from being
915 garbage-collected. (See isActiveTempFile() in gc.cc.) */
917 }
921 {
922 /* Careful: we should never ever throw an exception from a
923 destructor. */
927 }
931 {
936 /* If we're using a build user, then there is a tricky
937 race condition: if we kill the build user before the
938 child has done its setuid() to the build user uid, then
939 it won't be killed, and we'll potentially lock up in
940 pid.wait(). So also send a conventional kill to the
941 child. */
949 }
952 }
956 {
961 }
965 {
967 }
971 {
972 /* If we already want all outputs, there is nothing to do. */
983 }
984 }
988 {
994 /* The first thing to do is to make sure that the derivation
995 exists. If it doesn't, it may be created through a
996 substitute. */
1000 }
1005 }
1009 {
1016 }
1018 /* `drvPath' should already be a root, but let's be on the safe
1019 side: if the user forgot to make it a root, we wouldn't want
1020 things being garbage collected while we're busy. */
1025 /* Get the derivation. */
1031 /* Check what outputs paths are not already valid. */
1034 /* If they are all valid, then we're done. */
1038 }
1040 /* Check whether any output previously failed to build. If so,
1041 don't bother. */
1045 /* We are first going to try to create the invalid output paths
1046 through substitutes. If that doesn't work, we'll build
1047 them. */
1054 else
1056 }
1060 {
1063 if (nrFailed > 0 && nrFailed > nrNoSubstituters + nrIncompleteClosure && !settings.tryFallback)
1064 throw Error(format("some substitutes for the outputs of derivation `%1%' failed (usually happens due to networking issues); try `--fallback' to build derivation from source ") % drvPath);
1066 /* If the substitutes form an incomplete closure, then we should
1067 build the dependencies of this derivation, but after that, we
1068 can still use the substitutes for this derivation itself. */
1077 }
1083 }
1087 }
1089 throw Error(format("some outputs of `%1%' are not valid, so checking is not possible") % drvPath);
1091 /* Otherwise, at least one of the output paths could not be
1092 produced using a substitute. So we have to build instead. */
1094 /* Make sure checkPathValidity() from now on checks all
1095 outputs. */
1098 /* The inputs must be built before we can build this goal. */
1100 addWaitee(worker.makeDerivationGoal(i->first, i->second, buildMode == bmRepair ? bmRepair : bmNormal));
1107 else
1109 }
1113 {
1114 /* If we're repairing, we now know that our own outputs are valid.
1115 Now check whether the other paths in the outputs closure are
1116 good. If not, then start derivation goals for the derivations
1117 that produced those outputs. */
1119 /* Get the output closure. */
1120 PathSet outputClosure;
1124 }
1126 /* Filter out our own outputs (which we have already checked). */
1130 /* Get all dependencies of this derivation so that we know which
1131 derivation is responsible for which path in the output
1132 closure. */
1133 PathSet inputClosure;
1141 }
1143 /* Check each path (slow!). */
1144 PathSet broken;
1147 printMsg(lvlError, format("found corrupted or missing path `%1%' in the output closure of `%2%'") % *i % drvPath);
1151 else
1153 }
1158 }
1161 }
1165 {
1168 throw Error(format("some paths in the output closure of derivation ‘%1%’ could not be repaired") % drvPath);
1170 }
1174 {
1183 }
1188 }
1190 /* Gather information necessary for computing the closure and/or
1191 running the build hook. */
1193 /* The outputs are referenceable paths. */
1197 }
1199 /* Determine the full set of input paths. */
1201 /* First, the input derivations. */
1203 /* Add the relevant output closures of the input derivation
1204 `*i' as input paths. Only add the closures of output paths
1205 that are specified as inputs. */
1211 else
1215 }
1217 /* Second, the input sources. */
1225 /* Is this a fixed-output derivation? */
1230 /* Don't repeat fixed-output derivations since they're already
1231 verified by their output hash.*/
1234 /* Okay, try to build. Note that here we don't wait for a build
1235 slot to become available, since we don't need one if there is a
1236 build hook. */
1239 }
1243 {
1245 #if __linux__
1248 #endif
1249 ;
1250 }
1254 {
1257 }
1261 {
1263 }
1267 {
1269 }
1273 {
1276 /* Check for the possibility that some other goal in this process
1277 has locked the output since we checked in haveDerivation().
1278 (It can't happen between here and the lockPaths() call below
1279 because we're not allowing multi-threading.) If so, put this
1280 goal to sleep until another goal finishes, then try again. */
1287 }
1289 /* Obtain locks on all output paths. The locks are automatically
1290 released when we exit this function or the client crashes. If we
1291 can't acquire the lock, then continue; hopefully some other
1292 goal can start a build, and if not, the main loop will sleep a
1293 few seconds and then retry this goal. */
1297 }
1299 /* Now check again whether the outputs are valid. This is because
1300 another process may have started building in parallel. After
1301 it has finished and released the locks, we can (and should)
1302 reuse its results. (Strictly speaking the first check can be
1303 omitted, but that would be less efficient.) Note that since we
1304 now hold the locks on the output paths, no other process can
1305 build this derivation, so no further checks are necessary. */
1312 }
1318 /* If any of the outputs already exist but are not valid, delete
1319 them. */
1326 }
1328 /* Check again whether any output previously failed to build,
1329 because some other process may have tried and failed before we
1330 acquired the lock. */
1334 /* Don't do a remote build if the derivation has the attribute
1335 `preferLocalBuild' set. Also, check and repair modes are only
1336 supported for local builds. */
1339 /* Is the build hook willing to accept this job? */
1343 /* Yes, it has started doing so. Wait until we get
1344 EOF from the hook. */
1348 /* Not now; wait until at least one child finishes or
1349 the wake-up timeout expires. */
1354 /* We should do it ourselves. */
1356 }
1357 }
1359 /* Make sure that we are allowed to start a build. If this
1360 derivation prefers to be done locally, do it even if
1361 maxBuildJobs is 0. */
1367 }
1371 /* Okay, we have to build. */
1384 }
1386 /* This state will be reached when we get EOF on the child's
1387 log pipe. */
1389 }
1393 {
1394 /* We can't atomically replace storePath (the original) with
1395 tmpPath (the replacement), so we have to move it out of the
1396 way first. We'd better not be interrupted here, because if
1397 we're repairing (say) Glibc, we end up with a broken system. */
1405 }
1412 {
1415 /* Since we got an EOF on the logger pipe, the builder is presumed
1416 to have terminated. In fact, the builder could also have
1417 simply have closed its end of the pipe --- just don't do that
1418 :-) */
1420 pid_t savedPid;
1425 /* !!! this could block! security problem! solution: kill the
1426 child */
1429 }
1433 /* So the child is gone now. */
1436 /* Close the read side of the logger pipe. */
1440 }
1443 /* Close the log file. */
1446 /* When running under a build user, make sure that all processes
1447 running under that uid are gone. This is to prevent a
1448 malicious user from leaving behind a process that keeps files
1449 open and modifies them after they have been chown'ed to
1450 root. */
1457 /* Check the exit status. */
1460 /* Heuristically check whether the build failure may have
1461 been caused by a disk full condition. We have no way
1462 of knowing whether the build actually got an ENOSPC.
1463 So instead, check if the disk is (nearly) full now. If
1464 so, we don't mark this build as a permanent failure. */
1465 #if HAVE_STATVFS
1474 #endif
1478 /* Move paths out of the chroot for easier debugging of
1479 build failures. */
1490 }
1492 /* Compute the FS closure of the outputs and register them as
1493 being valid. */
1499 }
1501 /* Delete unused redirected outputs (when doing hash rewriting). */
1505 /* Delete the chroot (if we were using one). */
1510 /* Repeat the build if necessary. */
1517 }
1519 /* It is now safe to delete the lock files, since all future
1520 lockers will see that the output paths are valid; they will
1521 not create new lock files with the same names as the old
1522 (unlinked) lock files. */
1538 }
1544 }
1551 st =
1556 /* Register the outputs of this build as "failed" so we
1557 won't try to build them again (negative caching).
1558 However, don't do this for fixed-output derivations,
1559 since they're likely to fail for transient reasons
1560 (e.g., fetchurl not being able to access the network).
1561 Hook errors (like communication problems with the
1562 remote machine) shouldn't be cached either. */
1566 }
1570 }
1572 /* Release the build user, if applicable. */
1579 }
1583 {
1589 /* Tell the hook about system features (beyond the system type)
1590 required from the build machine. (The hook could parse the
1591 drv file itself, but this is easier.) */
1595 /* Send the request to the hook. */
1600 /* Read the first line of input, which should be a word indicating
1601 whether the hook wishes to perform the build. */
1602 string reply;
1608 }
1611 }
1625 /* Tell the hook all the inputs that have to be copied to the
1626 remote system. This unfortunately has to contain the entire
1627 derivation closure to ensure that the validity invariant holds
1628 on the remote system. (I.e., it's unfortunate that we have to
1629 list it since the remote system *probably* already has it.) */
1630 PathSet allInputs;
1634 string s;
1638 /* Tell the hooks the missing outputs that have to be copied back
1639 from the remote system. */
1646 /* Create the log file and pipe. */
1659 }
1663 {
1666 }
1670 {
1673 }
1677 {
1686 /* Note: built-in builders are *not* running in a chroot environment so
1687 that we can easily implement them in Guile without having it as a
1688 derivation input (they are running under a separate build user,
1689 though). */
1692 /* Construct the environment passed to the builder. */
1695 /* Most shells initialise PATH to some default (/bin:/usr/bin:...) when
1696 PATH is not set. We don't want this, so we fill it in with some dummy
1697 value. */
1700 /* Set HOME to a non-existing path to prevent certain programs from using
1701 /etc/passwd (or NIS, or whatever) to locate the home directory (for
1702 example, wget looks for ~/.wgetrc). I.e., these tools use /etc/passwd
1703 if HOME is not set, but they will just assume that the settings file
1704 they are looking for does not exist if HOME is set but points to some
1705 non-existing path. */
1709 /* Tell the builder where the store is. Usually they
1710 shouldn't care, but this is useful for purity checking (e.g.,
1711 the compiler or linker might only want to accept paths to files
1712 in the store or in the build directory). */
1715 /* The maximum number of cores to utilize for parallel building. */
1718 /* Add all bindings specified in the derivation. */
1722 /* Create a temporary directory where the build will take
1723 place. */
1727 /* In a sandbox, for determinism, always use the same temporary
1728 directory. */
1729 tmpDirInSandbox = useChroot ? canonPath("/tmp", true) + "/guix-build-" + drvName + "-0" : tmpDir;
1731 /* For convenience, set an environment pointing to the top build
1732 directory. */
1735 /* Also set TMPDIR and variants to point to this directory. */
1738 /* Explicitly set PWD to prevent problems with chroot builds. In
1739 particular, dietlibc cannot figure out the cwd because the
1740 inode of the current directory doesn't appear in .. (because
1741 getdents returns the inode of the mount point). */
1744 /* Compatibility hack with Nix <= 0.7: if this is a fixed-output
1745 derivation, tell the builder, so that for instance `fetchurl'
1746 can skip checking the output. On older Nixes, this environment
1747 variable won't be set, so `fetchurl' will do the check. */
1750 /* *Only* if this is a fixed-output derivation, propagate the
1751 values of the environment variables specified in the
1752 `impureEnvVars' attribute to the builder. This allows for
1753 instance environment variables for proxy configuration such as
1754 `http_proxy' to be easily passed to downloaders like
1755 `fetchurl'. Passing such environment variables from the caller
1756 to the builder is generally impure, but the output of
1757 fixed-output derivations is by definition pure (since we
1758 already know the cryptographic hash of the output). */
1762 }
1764 /* The `exportReferencesGraph' feature allows the references graph
1765 to be passed to a builder. This attribute should be a list of
1766 pairs [name1 path1 name2 path2 ...]. The references graph of
1767 each `pathN' will be stored in a text file `nameN' in the
1768 temporary build directory. The text files have the format used
1769 by `nix-store --register-validity'. However, the deriver
1770 fields are left empty. */
1779 /* Check that the store path is valid. */
1789 /* If there are derivations in the graph, then include their
1790 outputs as well. This is useful if you want to do things
1791 like passing all build-time dependencies of some path to a
1792 derivation that builds a NixOS DVD image. */
1802 }
1803 }
1805 /* Write closure info to `fileName'. */
1808 }
1811 /* If `build-users-group' is not empty, then we have to build as
1812 one of the members of that group. */
1818 /* Make sure that no other processes are executing under this
1819 uid. */
1822 /* Change ownership of the temporary build directory. */
1825 }
1828 #if CHROOT_ENABLED
1829 /* Create a temporary directory in which we set up the chroot
1830 environment using bind-mounts. We put it in the store
1831 to ensure that we can create hard-links to non-directory
1832 inputs in the fake store in the chroot (see below). */
1836 /* Clean up the chroot directory automatically. */
1847 /* Create a writable /tmp in the chroot. Many builders need
1848 this. (Of course they should really respect $TMPDIR
1849 instead.) */
1854 /* Create a /etc/passwd with entries for the build user and the
1855 nobody account. The latter is kind of a hack to support
1856 Samba-in-QEMU. */
1866 /* Declare the build user's group so that programs get a consistent
1867 view of the system (e.g., "id -gn"). */
1872 /* Create /etc/hosts with localhost entry. */
1876 /* Bind-mount a user-configurable set of directories from the
1877 host file system. */
1878 PathSet dirs = tokenizeString<StringSet>(settings.get("build-chroot-dirs", string(DEFAULT_CHROOT_DIRS)));
1879 PathSet dirs2 = tokenizeString<StringSet>(settings.get("build-extra-chroot-dirs", string("")));
1885 else
1887 }
1890 /* Make the closure of the inputs available in the chroot,
1891 rather than the whole store. This prevents any access
1892 to undeclared dependencies. Directories are bind-mounted,
1893 while other inputs are hard-linked (since only directories
1894 can be bind-mounted). !!! As an extra security
1895 precaution, make the fake store only writable by the
1896 build user. */
1913 /* Hard-linking fails if we exceed the maximum
1914 link count on a file (e.g. 32000 of ext3),
1915 which is quite possible after a `nix-store
1916 --optimise'. */
1919 StringSink sink;
1923 }
1926 }
1927 }
1929 /* If we're repairing, checking or rebuilding part of a
1930 multiple-outputs derivation, it's possible that we're
1931 rebuilding a path that is in settings.dirsInChroot
1932 (typically the dependencies of /bin/sh). Throw them
1933 out. */
1937 #else
1939 #endif
1940 }
1947 /* We're not doing a chroot build, but we have some valid
1948 output paths. Since we can't just overwrite or delete
1949 them, we have to do hash rewriting: i.e. in the
1950 environment/arguments passed to the build, we replace the
1951 hashes of the valid outputs with unique dummy strings;
1952 after the build, we discard the redirected outputs
1953 corresponding to the valid outputs, and rewrite the
1954 contents of the new outputs to replace the dummy strings
1955 with the actual hashes. */
1960 /* If we're repairing, then we don't want to delete the
1961 corrupt outputs in advance. So rewrite them as well. */
1967 }
1968 }
1971 /* Run the builder. */
1974 /* Create the log file. */
1977 /* Create a pipe to get the output of the builder. */
1980 /* Fork a child to build the package. Note that while we
1981 currently use forks to run and wait for the children, it
1982 shouldn't be hard to use threads for this on systems where
1983 fork() is unavailable or inefficient.
1985 If we're building in a chroot, then also set up private
1986 namespaces for the build:
1988 - The PID namespace causes the build to start as PID 1.
1989 Processes outside of the chroot are not visible to those on
1990 the inside, but processes inside the chroot are visible from
1991 the outside (though with different PIDs).
1993 - The private mount namespace ensures that all the bind mounts
1994 we do will only show up in this process and its children, and
1995 will disappear automatically when we're done.
1997 - The private network namespace ensures that the builder cannot
1998 talk to the outside world (or vice versa). It only has a
1999 private loopback interface.
2001 - The IPC namespace prevents the builder from communicating
2002 with outside processes using SysV IPC mechanisms (shared
2003 memory, message queues, semaphores). It also ensures that
2004 all IPC objects are destroyed when the builder exits.
2006 - The UTS namespace ensures that builders see a hostname of
2007 localhost rather than the actual hostname.
2008 */
2009 #if CHROOT_ENABLED
2014 /* Ensure proper alignment on the stack. On aarch64, it has to be 16
2015 bytes. */
2022 #endif
2023 {
2026 }
2030 /* parent */
2036 /* Check if setting up the build environment failed. */
2043 }
2045 }
2049 {
2050 /* Warning: in the child we should absolutely not make any SQLite
2051 calls! */
2061 #if CHROOT_ENABLED
2063 /* Initialise the loopback interface. */
2075 /* Set the hostname etc. to fixed values. */
2083 /* Make all filesystems private. This is necessary
2084 because subtrees may have been mounted as "shared"
2085 (MS_SHARED). (Systemd does this, for instance.) Even
2086 though we have a private mount namespace, mounting
2087 filesystems on top of a shared subtree still propagates
2088 outside of the namespace. Making a subtree private is
2089 local to the namespace, though, so setting MS_PRIVATE
2090 does not affect the outside world. */
2093 }
2095 /* Bind-mount chroot directory to itself, to treat it as a
2096 different filesystem from /, as needed for pivot_root. */
2100 /* Set up a nearly empty /dev, unless the user asked to
2101 bind-mount the host /dev. */
2102 Strings ss;
2107 #ifdef __linux__
2110 #endif
2120 }
2122 /* Fixed-output derivations typically need to access the
2123 network, so give them access to /etc/resolv.conf and so
2124 on. */
2130 }
2134 /* Bind-mount all the directories from the "host"
2135 filesystem that we want in the chroot
2136 environment. */
2150 }
2153 }
2155 /* Bind a new instance of procfs on /proc to reflect our
2156 private PID namespace. */
2161 /* Mount a new tmpfs on /dev/shm to ensure that whatever
2162 the builder puts in /dev/shm is cleaned up automatically. */
2163 if (pathExists("/dev/shm") && mount("none", (chrootRootDir + "/dev/shm").c_str(), "tmpfs", 0, 0) == -1)
2166 /* Mount a new devpts on /dev/pts. Note that this
2167 requires the kernel to be compiled with
2168 CONFIG_DEVPTS_MULTIPLE_INSTANCES=y (which is the case
2169 if /dev/ptx/ptmx exists). */
2173 {
2174 if (mount("none", (chrootRootDir + "/dev/pts").c_str(), "devpts", 0, "newinstance,mode=0620") == -1)
2178 /* Make sure /dev/pts/ptmx is world-writable. With some
2179 Linux versions, it is created with permissions 0. */
2181 }
2183 /* Do the chroot(). */
2190 #define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
2192 throw SysError(format("cannot pivot old root directory onto '%1%'") % (chrootRootDir + "/real-root"));
2193 #undef pivot_root
2203 }
2204 #endif
2209 /* Close all other file descriptors. */
2212 #if __linux__
2213 /* Change the personality to 32-bit if we're doing an
2214 i686-linux build on an x86_64-linux machine. */
2222 }
2229 }
2231 /* Impersonate a Linux 2.6 machine to get some determinism in
2232 builds that depend on the kernel version. */
2233 if ((drv.platform == "i686-linux" || drv.platform == "x86_64-linux") && settings.impersonateLinux26) {
2236 }
2238 /* Disable address space randomization for improved
2239 determinism. */
2242 #endif
2244 /* Fill in the environment. */
2245 Strings envStrs;
2249 /* If we are running in `build-users' mode, then switch to the
2250 user we allocated above. Make sure that we drop all root
2251 privileges. Note that above we have closed all file
2252 descriptors except std*, so that's safe. Also note that
2253 setuid() when run as root sets the real, effective and
2254 saved UIDs. */
2256 /* Preserve supplementary groups of the build user, to allow
2257 admins to specify groups such as "kvm". */
2271 }
2275 /* Indicate that we managed to set up the build environment. */
2278 /* Execute the program. This should not return. */
2285 /* Check what the output file name is. When doing a
2286 'bmCheck' build, the output file name is different from
2287 that specified in DRV due to hash rewriting. */
2294 }
2295 else
2301 }
2302 }
2304 /* Fill in the arguments. */
2305 Strings args;
2311 execve(drv.builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
2315 /* Right platform? Check this after we've tried 'execve' to allow for
2316 transparent emulation of different platforms with binfmt_misc
2317 handlers that invoke QEMU. */
2324 }
2330 writeFull(STDERR_FILENO, "while setting up the build environment: " + string(e.what()) + "\n");
2332 }
2335 }
2338 /* Parse a list of reference specifiers. Each element must either be
2339 a store path, or the symbolic name of the output of the derivation
2340 (such as `out'). */
2342 {
2343 PathSet result;
2353 }
2355 }
2359 {
2360 /* When using a build hook, the build hook can register the output
2361 as valid (by doing `nix-store --import'). If so we don't have
2362 to do anything here. */
2368 }
2370 ValidPathInfos infos;
2372 /* Set of inodes seen during calls to canonicalisePathMetaData()
2373 for this build's outputs. This needs to be shared between
2374 outputs to allow hard links between outputs. */
2375 InodesSeen inodesSeen;
2379 /* Check whether the output paths were created, and grep each
2380 output path to determine what other paths it references. Also make all
2381 output paths read-only. */
2390 /* Move output paths from the chroot to the store. */
2393 else
2396 }
2406 }
2415 }
2417 #ifndef __CYGWIN__
2418 /* Check that the output is not group or world writable, as
2419 that means that someone else can have interfered with the
2420 build. Also, the output should be owned by the build
2421 user. */
2424 throw BuildError(format("suspicious ownership or permission on `%1%'; rejecting this build output") % path);
2425 #endif
2427 /* Apply hash rewriting if necessary. */
2432 /* Canonicalise first. This ensures that the path we're
2433 rewriting doesn't contain a hard link to /etc/shadow or
2434 something like that. */
2435 canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
2437 /* FIXME: this is in-memory. */
2438 StringSink sink;
2446 }
2451 /* Check that fixed-output derivations produced the right
2452 outputs (i.e., the content hash should match the specified
2453 hash). */
2460 /* The output path should be a regular file without
2461 execute permission. */
2465 }
2467 /* Check the hash. */
2475 }
2476 }
2478 /* Get rid of all weird permissions. This also checks that
2479 all files are owned by the build user, if applicable. */
2483 /* For this output path, find the references to other paths
2484 contained in it. Compute the SHA-256 NAR hash at the same
2485 time. The hash is stored in the database so that we can
2486 verify later on whether nobody has messed with the store. */
2487 HashResult hash;
2499 throw Error(format("derivation `%1%' may not be deterministic: output `%2%' differs from ‘%3%’")
2504 }
2510 }
2512 /* For debugging, print out the referenced and unreferenced
2513 paths. */
2518 else
2520 }
2522 /* Enforce `allowedReferences' and friends. */
2528 PathSet used;
2530 /* Our requisites are the union of the closures of our references. */
2532 /* Don't call computeFSClosure on ourselves. */
2541 throw BuildError(format("output (`%1%') is not allowed to refer to path `%2%'") % actualPath % i);
2544 throw BuildError(format("output (`%1%') is not allowed to refer to path `%2%'") % actualPath % i);
2545 }
2546 };
2557 }
2559 ValidPathInfo info;
2566 }
2570 /* Compare the result with the previous round, and report which
2571 path is different, if any.*/
2581 else
2585 }
2587 }
2597 }
2598 }
2600 }
2605 }
2607 /* Register each output path as valid, and register the sets of
2608 paths referenced by each of them. If there are cycles in the
2609 outputs, this will fail. */
2611 }
2618 {
2625 /* Create a log file. */
2626 Path dir = (format("%1%/%2%/%3%/") % settings.nixLogDir % drvsLogDir % string(baseName, 0, 2)).str();
2630 {
2637 /* Note: FD will be closed by 'gzclose'. */
2645 }
2647 #if HAVE_BZLIB_H
2662 }
2663 #endif
2671 }
2672 }
2675 }
2679 {
2684 if (err != Z_OK) throw Error(format("cannot close compressed log file (gzip error = %1%)") % err);
2685 }
2686 #if HAVE_BZLIB_H
2691 if (err != BZ_OK) throw Error(format("cannot close compressed log file (BZip2 error = %1%)") % err);
2692 }
2693 #endif
2698 }
2701 }
2705 {
2710 }
2715 }
2716 }
2720 {
2727 // Change the ownership if clientUid is set. Never change the
2728 // ownership or the group to "root" for security reasons.
2732 }
2733 }
2734 else
2737 }
2738 }
2742 {
2743 string prefix;
2746 /* Print a prefix that allows clients to determine whether a message
2747 comes from the daemon or from a build process, and in the latter
2748 case, which build process it comes from. The PID here matches the
2749 one given in "@ build-started" traces; it's shorter that the
2750 derivation file name, hence this choice. */
2754 }
2758 {
2766 }
2774 if (count == 0) throw Error(format("cannot write to compressed log file (gzip error = %1%)") % gzerror(gzLogFile, &err));
2775 }
2776 #if HAVE_BZLIB_H
2780 if (err != BZ_OK) throw Error(format("cannot write to compressed log file (BZip2 error = %1%)") % err);
2781 #endif
2784 }
2788 }
2792 {
2794 }
2798 {
2799 PathSet result;
2806 }
2808 }
2812 {
2825 }
2829 {
2831 string h2 = string(printHash32(hashString(htSHA256, "rewrite:" + drvPath + ":" + path)), 0, 32);
2841 }
2845 {
2851 if (result.status == BuildResult::PermanentFailure || result.status == BuildResult::CachedFailure)
2853 }
2856 //////////////////////////////////////////////////////////////////////
2860 {
2864 /* The store path that should be realised through a substitute. */
2865 Path storePath;
2867 /* The remaining substituters. */
2868 Paths subs;
2870 /* The current substituter. */
2871 Path sub;
2873 /* Whether any substituter can realise this path */
2876 /* Path info returned by the substituter's query info operation. */
2877 SubstitutablePathInfo info;
2879 /* Pipe for the substituter's standard output. */
2880 Pipe outPipe;
2882 /* Pipe for the substituter's standard error. */
2883 Pipe logPipe;
2885 /* The process ID of the builder. */
2886 Pid pid;
2888 /* Lock on the store path. */
2891 /* Whether to try to repair a valid path. */
2894 /* Location where we're downloading the substitute. Differs from
2895 storePath when doing a repair. */
2896 Path destPath;
2899 GoalState state;
2908 {
2909 /* "a$" ensures substitution goals happen before derivation
2910 goals. */
2912 }
2916 /* The states. */
2924 /* Callback used by the worker to write to the log. */
2929 };
2936 {
2941 }
2945 {
2947 }
2951 {
2958 }
2960 }
2964 {
2966 }
2970 {
2975 /* If the path already exists we're done. */
2979 }
2982 throw Error(format("cannot substitute path `%1%' - no write access to the store") % storePath);
2987 }
2991 {
2995 /* None left. Terminate this goal and let someone else deal
2996 with it. */
2997 debug(format("path `%1%' is required, but there is no substituter that can build it") % storePath);
2998 /* Hack: don't indicate failure if there were no substituters.
2999 In that case the calling derivation should just do a
3000 build. */
3003 }
3008 SubstitutablePathInfos infos;
3016 /* To maintain the closure invariant, we first have to realise the
3017 paths referenced by this one. */
3024 else
3026 }
3030 {
3037 }
3045 }
3049 {
3052 /* Make sure that we are allowed to start a build. Note that even
3053 is maxBuildJobs == 0 (no local builds allowed), we still allow
3054 a substituter to run. This is because substitutions cannot be
3055 distributed to another machine via the build hook. */
3059 }
3061 /* Maybe a derivation goal has already locked this path
3062 (exceedingly unlikely, since it should have used a substitute
3063 first, but let's be defensive). */
3070 }
3072 /* Acquire a lock on the output path. */
3077 }
3079 /* Check again whether the path is invalid. */
3085 }
3094 /* Remove the (stale) output path if it exists. */
3100 /* Fill in the arguments. */
3101 Strings args;
3107 /* Fork the substitute program. */
3118 });
3131 }
3135 {
3138 /* Since we got an EOF on the logger pipe, the substitute is
3139 presumed to have terminated. */
3143 /* So the child is gone now. */
3146 /* Close the read side of the logger pipe. */
3149 /* Get the hash info from stdout. */
3154 /* Check the exit status and the build result. */
3155 HashResult hash;
3167 /* Verify the expected hash we got from the substituer. */
3184 }
3185 }
3194 }
3196 /* Try the next substitute. */
3200 }
3208 ValidPathInfo info2;
3228 }
3232 {
3235 /* Don't write substitution output to a log file for now. We
3236 probably should, though. */
3237 }
3241 {
3243 }
3247 //////////////////////////////////////////////////////////////////////
3255 {
3256 /* Debugging: prevent recursive workers. */
3263 }
3267 {
3270 /* Explicitly get rid of all strong pointers now. After this all
3271 goals that refer to this worker should be gone. (Otherwise we
3272 are in trouble, since goals may call childTerminated() etc. in
3273 their destructors). */
3275 }
3280 {
3289 }
3293 {
3299 }
3301 }
3305 {
3306 /* !!! inefficient */
3313 }
3315 }
3319 {
3324 /* If a top-level goal failed, then kill all other goals
3325 (unless keepGoing was set). */
3328 }
3330 /* Wake up goals waiting for any goal to finish. */
3334 }
3337 }
3341 {
3344 }
3348 {
3350 }
3356 {
3357 Child child;
3365 }
3369 {
3377 nrLocalBuilds--;
3378 }
3384 /* Wake up goals waiting for a build slot. */
3388 }
3391 }
3392 }
3396 {
3400 else
3402 }
3406 {
3409 }
3413 {
3416 }
3420 {
3429 /* Call every wake goal (in the ordering established by
3430 CompareGoalPtrs). */
3432 Goals awake2;
3436 }
3442 }
3443 }
3447 /* Wait for input. */
3452 "unable to start any build; either increase `--max-jobs' "
3455 }
3456 }
3458 /* If --keep-going is not set, it's possible that the main goal
3459 exited while some of its subgoals were still active. But if
3460 --keep-going *is* set, then they must all be finished now. */
3464 }
3468 {
3471 /* Process output from the file descriptors attached to the
3472 children, namely log output and output path creation commands.
3473 We also use this to detect child termination: if we get EOF on
3474 the logger pipe of a build, we assume that the builder has
3475 terminated. */
3482 /* If we're monitoring for silence on stdout/stderr, or if there
3483 is a build timeout, then wait for input until the first
3484 deadline for any child. */
3493 }
3498 }
3500 /* If we are polling goals that are waiting for a lock, then wake
3501 up after a few seconds at most. */
3507 timeout.tv_sec = std::max((time_t) 1, (time_t) (lastWokenUp + settings.pollInterval - before));
3511 /* Use select() to wait for the input side of any logger pipe to
3512 become `available'. Note that `available' (i.e., non-blocking)
3513 includes EOF. */
3514 fd_set fds;
3521 }
3522 }
3527 }
3531 /* Process all available file descriptors. */
3533 /* Since goals may be canceled from inside the loop below (causing
3534 them go be erased from the `children' map), we have to be
3535 careful that we don't keep iterators alive across calls to
3536 timedOut(). */
3566 }
3567 }
3568 }
3574 {
3579 }
3585 {
3590 }
3591 }
3598 }
3600 }
3601 }
3605 {
3607 }
3610 //////////////////////////////////////////////////////////////////////
3614 {
3620 Goals goals;
3625 else
3627 }
3631 PathSet failed;
3637 }
3641 }
3645 {
3646 /* If the path is already valid, we're done. */
3656 throw Error(format("path `%1%' does not exist and cannot be created") % path, worker.exitStatus());
3657 }
3661 {
3669 /* Since substituting the path didn't work, if we have a valid
3670 deriver, then rebuild the deriver. */
3678 }
3679 }
3682 }